krb5-1.12.1, pkinit, and openssl ca
Greg Hudson
ghudson at MIT.EDU
Sun Jun 1 10:46:54 EDT 2014
On 05/31/2014 12:13 PM, squidmobile at fastmail.fm wrote:
> as you can see, the expected kdc extensions appeared in the output
> certificate, but they contained no data or invalid data.
Are you judging that by the following output?
> X509v3 Subject Alternative Name:
> othername:<unsupported>
I see the same thing in test KDC certificates. It just means that
OpenSSL doesn't know how to display that type of SAN.
[From your first message:]
> this covers almost all if could find about the mapping file:
>
> pkinit_mapping_file
>
> Specifies the name of the ACL pkinit mapping file. This file
> maps principals to the certificates that they can use.
As it turns out, there is no mapping file support. All the code does is
read the filename into a structure field and ignore it. I've submitted
a pull request to eliminate the skeleton of this feature so it doesn't
confuse anyone else.
More information about the Kerberos
mailing list