krb5-1.12.1, pkinit, and openssl ca

squidmobile@fastmail.fm squidmobile at fastmail.fm
Fri Jun 6 14:30:10 EDT 2014


06 jun 2014

greetings,

>> as you can see, the expected kdc extensions appeared in the output
>> certificate, but they contained no data or invalid data.

>Are you judging that by the following output?

>>             X509v3 Subject Alternative Name:
>>                 othername:<unsupported>

>I see the same thing in test KDC certificates.  It just means that
>OpenSSL doesn't know how to display that type of SAN.

oh.  considering all the specs in the extensions file, i expected
to see the text version of my realm name and/or principal name.  it
threw me when i saw <EMPTY> and <unsupported> for the X509v3 Issuer
Alternative Name and X509v3 Subject Alternative Name.

thank you for the data.  i'll try to create and use certificates,
and see how krb5 reacts to them in use.

>>   pkinit_mapping_file
>> 
>>     Specifies the name of the ACL pkinit mapping file. This file
>>     maps principals to the certificates that they can use.

>As it turns out, there is no mapping file support.  All the code does is
>read the filename into a structure field and ignore it.  I've submitted
>a pull request to eliminate the skeleton of this feature so it doesn't
>confuse anyone else.

*rofl'ing*  trust me to try to use a feature nobody else wanted.  i
thought it might be a fallback solution to my issue with principal
recognition, especially if i somehow garbled my openssl
certificates.

if i remember correctly, i may be back with additional data and
issues with krb5 and pkinit, but i need to recheck my tests.

thank you for your time and assistance.
frank smith

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow



More information about the Kerberos mailing list