pkinit updates

Nicolas Williams Nicolas.Williams at
Tue Dec 19 18:08:00 EST 2006

On Tue, Dec 19, 2006 at 05:42:43PM -0500, Jeffrey Hutzelman wrote:
> You use the one whose SAN matches your principal name.  If there is more 
> than one, you use the first one, or prompt the user.  Of course, even that 
> only helps if the certs in question have PKINIT SAN's, and a lot of them 
> won't.

Certs w/o PKINIT SANs can be used with PKINIT...

> Really, there are two completely different sets of uses here.
> (1) Using tools like kinit to obtain tickets
> (2) Using tools like login to gain access to a machine.
> [...]

Excellent analysis.


More information about the krbdev mailing list