PKINIT certificate creation with GnuTLS' certtool
Greg Hudson
ghudson at mit.edu
Fri Jan 8 19:08:32 EST 2016
On 01/08/2016 06:59 PM, Rick van Rein wrote:
> kdc_principal_seq mentions name_type==1, or NT-PRINCIPAL. Should
> this not be NT-SRV-INST [Section 6.2 of RFC4120] or does PKINIT not
> care in practice? (The spec does not, but how about implementations?)
I don't think any implementations care; ours certainly does not. But I
agree that a name_type of 2 would be more appropriate.
> principals contains a single GeneralString holding ${ENV::CLIENT} —
> AFAIK this is hardcoded to only cover rick@ but not rick/admin@ right?
Yes; the config section has to be modified to handle a two-component
principal name.
More information about the Kerberos
mailing list