X.509 preauth
Greg Hudson
ghudson at mit.edu
Fri Oct 30 23:18:25 EDT 2015
On 10/30/2015 06:14 PM, Pascal Jakobi wrote:
> PA-PK-AS-REQ (16), which I understand is for X.509 certificate
> preauthentication, is not in the list.
[...]
[From krb5.conf]
> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem
You should put the KDC certificate paths in "pkinit_identity", and the
client certificate paths in "pkinit_identities". (These are two of the
most confusingly named variables in krb5.conf, and we are considering
introducing new names for them and deprecating the old ones.)
Since the KDC isn't seeing a "pkinit_identity" configured, it isn't
offering PKINIT.
If you haven't read it already, see:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
More information about the krbdev
mailing list