[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Certificates for Pkinit

To: heimdal-discuss@sics.se
Subject: Certificates for Pkinit
From: Alberto Fondi <alberto.fondi@lnf.infn.it>
Date: Fri, 15 Dec 2006 13:29:41 +0100
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.5.0.8 (Windows/20061025)

Hi group,

    we have proved heimdal and pkinit at our organization and we think 
it is very good, because we needed a system able to authenticate clients 
with certificates.

However we want a confirmation about the requirements of certificates:

The KDC should have an EKU and a subjectAltName (OtherName) that is 
PK-INIT specific.
The EKU is 1.3.6.1.5.2.3.5

The subjectAltName is of the type OtherName using the oid 1.3.6.1.5.2.2 
and with a DER encoded KRB5PrincipalName in the data part with the 
realms krbtgt principal in the KRB5PrincipalName.

The certificates for the clients must have a EKU id-pkekuoid 
(1.3.6.1.5.2.3.4) and a DER encoded domain in the SubjectAltName in the 
certificate using OtherName

Is it all correct ?

If our CA can't match these requirements is there a walkaround?

Thanks

Follow-Ups:
- Re: Certificates for Pkinit
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Subject alternative name
Next by Date: Re: Subject alternative name
Prev by thread: Certificates for PKINIT
Next by thread: Re: Certificates for Pkinit
Index(es):
- Date
- Thread