krb5-1.12.1, pkinit, and openssl ca
Greg Hudson
ghudson at MIT.EDU
Mon Jun 9 23:55:37 EDT 2014
On 06/08/2014 06:35 PM, squidmobile at fastmail.fm wrote:
> KRB5_TRACE=/dev/stdout kinit \
> -X X509_user_identity=DIR:/home/test/.krb5.id my/principal
I think I know why this is. When you created the client certificate,
you presumably set the environment variable CLIENT to "my/principal".
OpenSSL does not recognize the / as a principal component separator, so
it created a principal SAN with one component containing "my/principal",
instead of two components "my" and "principal".
If you look at extensions.kdc, you can see how its [kdc_principals]
section creates two components in its principal SAN. Following the same
pattern, you could create an extensions.client2 which ends with:
[principals]
princ1=GeneralString:${ENV::CLIENT1}
princ2=GeneralString:${ENV::CLIENT2}
and then set CLIENT1 to "my" and CLIENT2 to "principal".
I have filed an issue noting that we should discuss this in the PKINIT
documentation. (Really, we should have better tools for creating and
examining PKINIT X.509 certificates; it's just a matter of resources.)
> i originally made my private key require a password. that seemed
> to make the kinit process fail with a message
Password-protected keys should work via a password prompt from kinit.
(I haven't personally tried this, but it's covered by our automated
tests.) After you have solved the other issues, you might try
reintroducing the password.
More information about the Kerberos
mailing list