NSS PKINIT requires nsCertType extension?

Matt Rogers mrogers at redhat.com
Wed Feb 1 11:44:10 EST 2017

On Wed, Feb 1, 2017 at 11:07 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 01/31/2017 10:09 AM, Matt Rogers wrote:
>> It turns out NSS is expecting the Netscape
>> certificate type extension (nsCertType = client/server in
>> openssl.cnf), and adding it to the test certificates made the tests
>> pass. Is this expected, or documented anywhere?
> I remember NSS having some behavior differences which made NSS PKINIT
> not a drop-in for the OpenSSL implementation, but I don't remember if
> this was one Nalin had discussed.  I went back and looked at the
> conversation on krbdev in September and October 2011 when we merged it,
> but there wasn't any discussion of behavior differences there.
> I've actually been meaning to ask if we can remove the NSS PKINIT
> implementation, since it was motivated by
> https://fedoraproject.org/wiki/FedoraCryptoConsolidation
> which is now defunct.  What led you to try it out?

If it was only used by the crypto consolidation effort then perhaps we
can remove it (I will ask around). The cert authorization plugin
framework needed new functions in the PKINIT crypto backend, which I
wrote for the OpenSSL variant, so I was giving it a shot before I went
about writing NSS versions. But I can hold off on those for now if the
NSS support is in limbo.

More information about the krbdev mailing list