krb5-1.12.1, pkinit, and openssl ca

Greg Hudson ghudson at MIT.EDU
Sun Jun 1 10:46:54 EDT 2014


On 05/31/2014 12:13 PM, squidmobile at fastmail.fm wrote:
> as you can see, the expected kdc extensions appeared in the output
> certificate, but they contained no data or invalid data.

Are you judging that by the following output?

>             X509v3 Subject Alternative Name:
>                 othername:<unsupported>

I see the same thing in test KDC certificates.  It just means that
OpenSSL doesn't know how to display that type of SAN.

[From your first message:]
> this covers almost all if could find about the mapping file:
> 
>   pkinit_mapping_file
> 
>     Specifies the name of the ACL pkinit mapping file. This file
>     maps principals to the certificates that they can use.

As it turns out, there is no mapping file support.  All the code does is
read the filename into a structure field and ignore it.  I've submitted
a pull request to eliminate the skeleton of this feature so it doesn't
confuse anyone else.


More information about the Kerberos mailing list