Hi All, I have Windows AD (2008) infrastructure. I created corresponding krb5.conf, built the Krb source code, and now able to get TGT for that user on my Linux machine using kinit. My requirement is to setup PKINIT authentication on client-side (Linux) with AD.
I have two choices: 1. Generate the certificates (as given at http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) and map them to user account and domain controller. I am not sure if AD would allow a certificate to be mapped to domain controller. 2. Extract the certificate from AD certsrv utility. I extracted CA cert, Client key and cert but what about its interoperability with MIT Kerberos PKINIT because extension fields are missing ? I dont think the Windows has any option where we can add extension field as in from extensions.client while generating certificate. (How to make use of smart card certificate enrollment here ? Let me know what could be best way out for this usecase. Any help would be highly appreciated. Best, Arpit ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
