This ticket is related to the ticket #53.
The KDC should have a cert for the PKINIT to work. Nalin please provide details about the profile.
That begs the question: what settings will be required?
I didn't intend to leave you hanging; I didn't know we were going there yet. Mainly, the certificate needs to contain a subjectAltName value that includes the Kerberos principal name for the realm's ticket granting service, "krbtgt/REALM@REALM".
I'd also suggest including id-pkinit-KPKdc (1.3.6.1.5.2.3.5) as an EKU value, though that's optional if the subjectAltName is there. The keyUsage should include digitalSignature.
The more verbose description of the requirements the client places on the KDC's certificate is laid out in section 3.2.4 of RFC4556.
The KDC needs to trust the certifier of the client certificates, and of course its own. The pkinit_anchors setting in the kdc.conf file can be used for this. Additionally, the KDC needs access to its own certificate and private key; the pkinit_identity setting is used for this. If the certificate and key are stored in files, then the right parts of kdc.conf might include this:
[realms] IPAREALM = { pkinit_anchors = FILE:/etc/ipa/ca.crt pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key }
Apparently certutil does not provide a way to set the subjectAltName extension for kerberos principal names needed to generate a certificate for the KDC. This makes it difficult to create a selfsigned cert for it using our selfsign CA.
ticket #46 was actually a duplicate of this one, consolidating (by closing #46 as duplicate)
Pushed patches that handles all case but dogtag. Closing this bug an opening a new one that deals only with dogtag integration.
Metadata Update from @dpal: - Issue assigned to simo - Issue set to the milestone: FreeIPA 2.0 - 2010/11
Login to comment on this ticket.