Using XCA with Kerberos PKINIT #580

rtvd · 2020-05-21T04:56:36Z

rtvd
May 21, 2020

It would be nice to have an ability to use XCA with Kerberos PKINIT.
https://k5wiki.kerberos.org/wiki/Pkinit_configuration

This would involve being able to issue certificates for Kerberos KDC and for Kerberos principals.

The issue is that the required attributes are quite fancy. The example OpenSSL configuration looks like this:

[ kdc_cert ]
basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement

#Pkinit EKU
extendedKeyUsage = 1.3.6.1.5.2.3.5

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# Copy subject details

issuerAltName=issuer:copy

# Add id-pkinit-san (pkinit subjectAlternativeName)
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name

[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals

[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}

[ client_cert ]

# These extensions are added when 'ca' signs a request.

basicConstraints=CA:FALSE

keyUsage = digitalSignature, keyEncipherment, keyAgreement

extendedKeyUsage =  1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer


subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name


# Copy subject details

issuerAltName=issuer:copy

[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals

[principals]
princ1 = GeneralString:${ENV::CLIENT}

Answered by KJarek

Jun 8, 2024

A valid work-around is to go into Advanced -> Edit when creating a new certificate and use the relevant part of the configuration you've posted:

subjectAltName = @subjectAltName_sect

[subjectAltName_sect]
otherName.0 = 1.3.6.1.5.2.2;SEQUENCE:princ_name

[princ_name]
realm = EXP:0, GeneralString:REALM
principal_name = EXP:1, SEQUENCE:principal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals

[principals]
princ1 = GeneralString:username

Adjust REALM and username according to your needs. If you need a certificate for a service, expand the [principals] section like this:

[principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:REALM

Maybe i…

View full answer

KJarek · 2024-06-08T20:20:16Z

KJarek
Jun 8, 2024

A valid work-around is to go into Advanced -> Edit when creating a new certificate and use the relevant part of the configuration you've posted:

subjectAltName = @subjectAltName_sect

[subjectAltName_sect]
otherName.0 = 1.3.6.1.5.2.2;SEQUENCE:princ_name

[princ_name]
realm = EXP:0, GeneralString:REALM
principal_name = EXP:1, SEQUENCE:principal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals

[principals]
princ1 = GeneralString:username

Adjust REALM and username according to your needs. If you need a certificate for a service, expand the [principals] section like this:

[principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:REALM

Maybe it will be useful for someone :-)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Using XCA with Kerberos PKINIT #580

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Using XCA with Kerberos PKINIT #580

rtvd May 21, 2020

Replies: 1 comment

KJarek Jun 8, 2024

rtvd
May 21, 2020

KJarek
Jun 8, 2024