pkinit updates

Jeffrey Hutzelman jhutz at
Tue Dec 19 18:31:47 EST 2006

On Tuesday, December 19, 2006 05:08:00 PM -0600 Nicolas Williams 
<Nicolas.Williams at> wrote:

> On Tue, Dec 19, 2006 at 05:42:43PM -0500, Jeffrey Hutzelman wrote:
>> You use the one whose SAN matches your principal name.  If there is more
>> than one, you use the first one, or prompt the user.  Of course, even
>> that  only helps if the certs in question have PKINIT SAN's, and a lot
>> of them  won't.
> Certs w/o PKINIT SANs can be used with PKINIT...

Yes, but you can't match your principal name against their PKINIT SAN's to 
decide which one to use.  So you'd need some other approach.

More information about the krbdev mailing list