PKINIT certificate creation with GnuTLS' certtool
Rick van Rein
rick at openfortress.nl
Fri Jan 8 18:59:08 EST 2016
Hello,
I have reported a feature request with GnuTLS, suggesting it to support
PKINIT certificate generation with certtool,
https://gitlab.com/gnutls/gnutls/issues/62
Nikos Mavrogiannopoulos is graciously helping out, and has created a
proposed commit,
https://gitlab.com/gnutls/gnutls/commits/krb5
I have been comparing his work with the instructions for OpenSSL,
http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/pkinit.html
A few questions that this presented:
1.
kdc_principal_seq mentions name_type==1, or NT-PRINCIPAL. Should
this not be NT-SRV-INST [Section 6.2 of RFC4120] or does PKINIT not
care in practice? (The spec does not, but how about implementations?)
2.
principals contains a single GeneralString holding ${ENV::CLIENT} —
AFAIK this is hardcoded to only cover rick@ but not rick/admin@ right?
FWIW, what Nikos has created is configured in a template file as
krb5_principal = rick at OPENFORTRESS.NL
-or-
krb5_principal = krbtgt/OPENFORTRESS.NL at OPENFORTRESS.NL
and it has the logic to translate that into the structures that we now
have to hand-code in openssl.conf — so there is going to be a generous
step forward if this enters mainstream with GnuTLS 3.5.0 :-)
Anyone who wants to give certtool a try in an existing PKINIT
infrastructure is /very/ welcome; I am not able to do that, and am
comparing the OpenSSL and GnuTLS certificates.
Ciao,
-Rick
More information about the Kerberos
mailing list