Comments on the use of plugins - useof pkinit_kdc_hostname

Douglas E. Engert deengert at
Fri Jun 15 15:05:47 EDT 2007

Got the pkinit code running on Solaris 10 to work with W2k3 KDCs
using OpenSC, with pcsc and ccid drivers calling libusb.

But this required the use of the pkinit_eku_checking = kpServerAuth
and pkinit_kdc_hostname parameters in the krb5.conf

The pkinit_kdc_hostname, in effect duplicates, the hostnames
as used in kdc = or in the DNS SRV records.  We really like to
use the dns_lookup_kdc=1 option so we don't have to have the names
of the KDCs in the krb5.conf. Having to add the
hostnames for pkinit_kdc_hostnames defeats this goal!

If the concern is that the cert may be valid but not be from
a KDC, I would hope that some more Windows friendly code
could be added. It looks like Windows adds the extension with a value of DomainController (utf8?) to
the cert as well as a SAN for DNS. (But windows being windows
the host part of the DNS name XXXXXX below is in uppercase!)

(If it would be helpful, I can send the cert. But for now here are
the pertinent extensions:

         X509v3 extensions:
             X509v3 Key Usage:
                 Digital Signature, Key Encipherment
             S/MIME Capabilities:
                 . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
             X509v3 Extended Key Usage:
                 TLS Web Client Authentication, TLS Web Server Authentication
             X509v3 Subject Alternative Name:

To get the cert, I added the line
  PEM_write_X509(stdout, cert);
to pkinit_crypto_openssl.c


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list