[36165] in Kerberos
Re: krb5-1.12.1, pkinit, and openssl ca
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Jun 1 10:47:17 2014
Message-ID: <538B3CDE.5090307@mit.edu>
Date: Sun, 01 Jun 2014 10:46:54 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: "squidmobile@fastmail.fm" <squidmobile@fastmail.fm>, kerberos@mit.edu
In-Reply-To: <1401552790.17470.123646265.69CB4B1A@webmail.messagingengine.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 05/31/2014 12:13 PM, squidmobile@fastmail.fm wrote:
> as you can see, the expected kdc extensions appeared in the output
> certificate, but they contained no data or invalid data.
Are you judging that by the following output?
> X509v3 Subject Alternative Name:
> othername:<unsupported>
I see the same thing in test KDC certificates. It just means that
OpenSSL doesn't know how to display that type of SAN.
[From your first message:]
> this covers almost all if could find about the mapping file:
>
> pkinit_mapping_file
>
> Specifies the name of the ACL pkinit mapping file. This file
> maps principals to the certificates that they can use.
As it turns out, there is no mapping file support. All the code does is
read the filename into a structure field and ignore it. I've submitted
a pull request to eliminate the skeleton of this feature so it doesn't
confuse anyone else.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
