PKINIT certificate creation with GnuTLS' certtool

Greg Hudson ghudson at mit.edu
Fri Jan 8 19:08:32 EST 2016


On 01/08/2016 06:59 PM, Rick van Rein wrote:
>     kdc_principal_seq mentions name_type==1, or NT-PRINCIPAL. Should
>     this not be NT-SRV-INST [Section 6.2 of RFC4120] or does PKINIT not
>     care in practice? (The spec does not, but how about implementations?)

I don't think any implementations care; ours certainly does not.  But I
agree that a name_type of 2 would be more appropriate.

>     principals contains a single GeneralString holding ${ENV::CLIENT} —
>     AFAIK this is hardcoded to only cover rick@ but not rick/admin@ right?

Yes; the config section has to be modified to handle a two-component
principal name.


More information about the Kerberos mailing list