[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Certificates creation

To: heimdal-discuss@sics.se
Subject: Certificates creation
From: Alberto Fondi <alberto.fondi@lnf.infn.it>
Date: Thu, 07 Dec 2006 14:48:17 +0100
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.5.0.8 (Windows/20061025)

Hi group,

    I'm trying to generate new certificates for client and kdc using the 
script in the directory lib/hx509/data, gen-req.sh. But there are some 
things i don't understand:

1) for the kdc the domain is TEST.H5L.SE and the name is krbtgt as 
written in section

[pkinitkdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:TEST.H5L.SE

of file openssl.conf

but if i want to change the domain, can i do this action directly or i 
must make other changes ?

2) for the client the domain is TEST.H5L.SE and the name is bar as 
written in sections

[pkinitc_princ_name]
realm = EXP:0, GeneralString:TEST.H5L.SE
principal_name = EXP:1, SEQUENCE:pkinitc_principal_seq

and

[pkinitc_principals]
princ1 = GeneralString:bar

but the test about kinit take in consideration a principal named foo 
under the same domain. What does it means ?

3) If i want to generate a certificate for the client what must i 
change? Myabe only these two strings?
princ1 = GeneralString:bar
and
realm = EXP:0, GeneralString:TEST.H5L.SE

or must i can other things ?

4) Are there any requirements to generate certificate for the CA ?

Prev by Date: Certificates for PKINIT
Next by Date: How read Subject Alternative Name
Prev by thread: thank you
Next by thread: How read Subject Alternative Name
Index(es):
- Date
- Thread