Help in incorporating PKINIT

sasikumar bodathula sasikumar.b at
Tue May 21 03:19:23 EDT 2013

  Starting new e-mail since felt that old e-mail was containing too much info (not clear one).

I am using the MIT kerberos client API's to develop keberos client for a system.

1. Use custom named conf file for storing the realm, libdefaults etc this file once information is written is set to the   
    environment using KRB5_CONF.

2. Now incorporating the PKINIT support into our kerberos client. Following steps were followed.
    a) Created certificated as mentioned in the MIT site
    b) Following entries where placed in the conf file


[realms] = {
  kdc = <ipaddress>:88
  pkinit_anchors = FILE:/<path>/certif/cacert.pem
  pkinit_identity = FILE:/<path>/certif/client.pem,/<path>/certif/clientkey.pem

Corresponding  API are invoked krb5_get_init_creds_opt_alloc:- For credential allocation
krb5_get_init_creds_opt_set_pa:- For setting X509_anchors and FILE:/<path>/cert/cacert.pem
krb5_get_init_creds_opt_set_pa:- For setting X509_user_identity and FILE:/<path>/certif/client.pem,/<path>/certif/clientkey.pem
krb5_get_init_creds_opt_set_pa:- For setting "flag_RSA_PROTOCOL", "yes"

Now during testing

1. AS_REQ goes from client to KDC, where KDC replies with KRB2KDB_ERR_PREAUTH_REQUIRED
2. The next request AS_REQ from client to KDC goes with padata as PA-ENC-TIMESTAMP (Not PA-DASS with certificate value as expected)

When same was tested with the kinit command line the second AS_REQ carry padata as PA-DASS with certificate values. Please guide me if I am missing something in the API usage?

Best Regards,


More information about the Kerberos mailing list