Hello, I have reported a feature request with GnuTLS, suggesting it to support PKINIT certificate generation with certtool, https://gitlab.com/gnutls/gnutls/issues/62
Nikos Mavrogiannopoulos is graciously helping out, and has created a proposed commit, https://gitlab.com/gnutls/gnutls/commits/krb5 I have been comparing his work with the instructions for OpenSSL, http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/pkinit.html A few questions that this presented: 1. kdc_principal_seq mentions name_type==1, or NT-PRINCIPAL. Should this not be NT-SRV-INST [Section 6.2 of RFC4120] or does PKINIT not care in practice? (The spec does not, but how about implementations?) 2. principals contains a single GeneralString holding ${ENV::CLIENT} — AFAIK this is hardcoded to only cover rick@ but not rick/admin@ right? FWIW, what Nikos has created is configured in a template file as krb5_principal = r...@openfortress.nl -or- krb5_principal = krbtgt/openfortress...@openfortress.nl and it has the logic to translate that into the structures that we now have to hand-code in openssl.conf — so there is going to be a generous step forward if this enters mainstream with GnuTLS 3.5.0 :-) Anyone who wants to give certtool a try in an existing PKINIT infrastructure is /very/ welcome; I am not able to do that, and am comparing the OpenSSL and GnuTLS certificates. Ciao, -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
