PKINIT and instance principals.

Greg Hudson ghudson at
Sun Jan 29 11:49:59 EST 2017

On 01/29/2017 04:52 AM, Dr. Greg Wettstein wrote:
> Examining the certificate in DER form indicates the principal name is
> encoded as sudo/UID at REALM as is desired.

I'm not sure this is correct.  An AnotherName of type KRB5PrincipalName
is defined by RFC 4556 to be of type KRB5PrincipalName:

   KRB5PrincipalName ::= SEQUENCE {
       realm                   [0] Realm,
       principalName           [1] PrincipalName

and PrincipalName is defined by RFC 4120 as:

    PrincipalName   ::= SEQUENCE {
        name-type       [0] Int32,
        name-string     [1] SEQUENCE OF KerberosString

If in the DER you are seeing a name-string containing a length-1
sequence containing the string "sudo/UID", that is a single-component
principal, which unparses to "sudo\/UID at REALM" as you saw.

(It would certainly be simpler to create PKINIT certificates using
OpenSSL if RFC 4556 had used unparsed principal names instead of
ASN.1-encoding them.  But that ship sailed long ago.)

To correctly generate a multi-component principal name in the
certificate using an OpenSSL extensions file, the SEQUENCE of principal
components needs to contain separate elements for each principal.  In you can
see this being done in the extensions file for the KDC certificate, and
you can apply something similar for client certificates.  Our
documentation in this area could be improved; we have an open issue at:

More information about the krbdev mailing list