On 05/09/2013 07:18 AM, sasikumar bodathula wrote: > I am planning to implement PKINIT in my kerberos client application. Read the > tutorial for PKINIT options in MIT site and need to know what API's can be > used to achieve PKINIT in client application.
Normally, a client application doesn't need to use any APIs to make PKINIT work; all you have to do is configure the client and KDC appropriately using krb5.conf. If you have a specific need to control PKINIT behavior from the application, you can create a krb5_get_init_creds_opt object with krb5_get_init_creds_opt_alloc and set PKINIT-specific attributes with krb5_get_init_creds_opt_set_pa. The attributes you can set this way are described in the kinit man page under the description of the -X attribute (so X509_user_identity, X509_anchors, and flag_RSA_PROTOCOL). You may also need to refer to the krb5.conf man page where it talks about the pkinit_identities and pkinit_anchors variables. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
