[37373] in Kerberos
PKINIT certificate creation with GnuTLS' certtool
daemon@ATHENA.MIT.EDU (Rick van Rein)
Fri Jan 8 18:59:34 2016
Message-ID: <56904D4C.60400@openfortress.nl>
Date: Sat, 09 Jan 2016 00:59:08 +0100
From: Rick van Rein <rick@openfortress.nl>
MIME-Version: 1.0
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
I have reported a feature request with GnuTLS, suggesting it to support
PKINIT certificate generation with certtool,
https://gitlab.com/gnutls/gnutls/issues/62
Nikos Mavrogiannopoulos is graciously helping out, and has created a
proposed commit,
https://gitlab.com/gnutls/gnutls/commits/krb5
I have been comparing his work with the instructions for OpenSSL,
http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/pkinit.html
A few questions that this presented:
1.
kdc_principal_seq mentions name_type==1, or NT-PRINCIPAL. Should
this not be NT-SRV-INST [Section 6.2 of RFC4120] or does PKINIT not
care in practice? (The spec does not, but how about implementations?)
2.
principals contains a single GeneralString holding ${ENV::CLIENT} —
AFAIK this is hardcoded to only cover rick@ but not rick/admin@ right?
FWIW, what Nikos has created is configured in a template file as
krb5_principal = rick@OPENFORTRESS.NL
-or-
krb5_principal = krbtgt/OPENFORTRESS.NL@OPENFORTRESS.NL
and it has the logic to translate that into the structures that we now
have to hand-code in openssl.conf — so there is going to be a generous
step forward if this enters mainstream with GnuTLS 3.5.0 :-)
Anyone who wants to give certtool a try in an existing PKINIT
infrastructure is /very/ welcome; I am not able to do that, and am
comparing the OpenSSL and GnuTLS certificates.
Ciao,
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
