pkinit plugin logic in pkinit_srv.c

Greg Hudson ghudson at
Thu Aug 24 15:26:49 EDT 2017

On 08/24/2017 03:09 PM, Craig Huckabee wrote:
>> We didn't expect people to want to authorize client certs with an
>> id-pkinit-san SAN containing the wrong principal name.  The only way to
>> make that work in the current code is to use module configuration to
>> disable the san certauth module, which would mean that you'd have to use
>> dbmatch for everyone.

> Unfortunately the SAN present isn’t a id-pkinit-san, these cards are
> only issued with the NT-Principal type SAN, so that is what I have to
> work with.

By NT-Principal type SAN, you mean (User
Principal Name)?  We can handle those, if you set
"pkinit_allow_upn = true" in kdc.conf in the realm configuration (or in
[kdcdefaults]).  The value has to match the request client principal, of

It may be that we presently have the wrong behavior if the cert contains
a UPN SAN and pkinit_allow_upn = false (the default).  In that case the
upn module should probably return KRB5_PLUGIN_NO_HANDLE but might now be
returning a mismatch.

More information about the krbdev mailing list