Will -
It would be a lot easier to help you if you could describe which
extensions you want to have in your cert. Parsing openssl config files
is not something I care about.
What does your KDC cert look like?
What does your princ cert look like?
If I understand those 2 questions, I think I can help you create the same
things using pktool.
-Wyllys
On 02/09/10 21:36, Will Fiveash wrote:
> I've been testing Solaris krb PKINIT and was wondering how I can
> generate the certs using pktool. Currently I generate the certs use
> openssl like so (note that I've added the contents of
> /usr/local/etc/sam-openssl-extfile.txt to the end of the message):
>
> # Generate KDC cert request:
> # Note: -nodes option output unprotected key, good for kdc (no PIN prompt)
> openssl req -new -newkey rsa:1024 \
> -nodes -keyout kdc.key \
> -out kdc.req
>
> #Generate KDC cert:
> realm="ZONE.NET"
> CLIENT=kdc REALM=$realm openssl x509 \
> -CAkey ca.key -CA ca.crt -CAserial ca.srl -CAcreateserial \
> -req -in kdc.req -out kdc.crt \
> -days $days \
> -extfile /usr/local/etc/sam-openssl-extfile.txt \
> -extensions kdc_cert
>
> # Generate princ cert req:
> openssl req -new -newkey rsa:1024 \
> -keyout ${princ}.key -out ${princ}.req
>
> #gen princ cert:
> CLIENT=$princ REALM=$realm openssl x509 \
> -CAkey ca.key -CA ca.crt -CAserial ca.srl -CAcreateserial \
> -req -days $days -in ${princ}.req -out ${princ}.crt \
> -extfile /usr/local/etc/sam-openssl-extfile.txt \
> -extensions client_cert
>
> Here is /usr/local/etc/sam-openssl-extfile.txt:
>
> # from samH
> # note no ca_cert (alluded to in his post)
> # http://www.openssl.org/docs/apps/x509v3_config.html#
>
> [ kdc_cert ]
>
> basicConstraints=CA:FALSE
>
> # Here are some examples of the usage of nsCertType. If it is omitted
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
>
> extendedKeyUsage = 1.3.6.1.5.2.3.5
>
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
>
> # Copy subject details
>
> issuerAltName=issuer:copy
>
> # Add id-pkinit-san (pkinit subjectAlternativeName)
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
>
> [kdc_princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCE:kdc_principal_seq
>
> [kdc_principal_seq]
> name_type = EXP:0, INTEGER:1
> name_string = EXP:1, SEQUENCE:kdc_principals
>
> [kdc_principals]
> princ1 = GeneralString:krbtgt
> princ2 = GeneralString:${ENV::REALM}
>
> [ client_cert ]
>
> # These extensions are added when 'ca' signs a request.
>
> basicConstraints=CA:FALSE
>
> keyUsage = digitalSignature, keyEncipherment, keyAgreement
>
> extendedKeyUsage = 1.3.6.1.5.2.3.4
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
>
> # Import the email address.
>
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>
> # Copy subject details
>
> issuerAltName=issuer:copy
>
> [princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCE:principal_seq
>
> [principal_seq]
> name_type = EXP:0, INTEGER:1
> name_string = EXP:1, SEQUENCE:principals
>
> [principals]
> princ1 = GeneralString:${ENV::CLIENT}
>
> =============================================
>
> Can someone give me the exact pktool commands to create identical kdc
> and general princ certs/keys?
>
