From 52a46d121bf760f6beca4622ace0a4554a679c3c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 29 Oct 2010 16:23:21 -0400 Subject: Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage. --- install/share/Makefile.am | 2 ++ install/share/kdc.conf.template | 2 ++ install/share/kdc_extensions.template | 32 ++++++++++++++++++++++++++++++++ install/share/kdc_req.conf.template | 14 ++++++++++++++ 4 files changed, 50 insertions(+) create mode 100644 install/share/kdc_extensions.template create mode 100644 install/share/kdc_req.conf.template (limited to 'install/share') diff --git a/install/share/Makefile.am b/install/share/Makefile.am index e4b6ca385..3423ce287 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -24,6 +24,8 @@ app_DATA = \ bind.zone.db.template \ certmap.conf.template \ kdc.conf.template \ + kdc_extensions.template \ + kdc_req.conf.template \ krb5.conf.template \ krb5.ini.template \ krb.con.template \ diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 4a2cca412..f8e07c77b 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,4 +12,6 @@ dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab + pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem + pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem } diff --git a/install/share/kdc_extensions.template b/install/share/kdc_extensions.template new file mode 100644 index 000000000..df992babd --- /dev/null +++ b/install/share/kdc_extensions.template @@ -0,0 +1,32 @@ +[ kdc_cert ] +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +#Pkinit EKU +extendedKeyUsage = 1.3.6.1.5.2.3.5 + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# Copy subject details + +issuerAltName=issuer:copy + +# Add id-pkinit-san (pkinit subjectAlternativeName) +# Also add the KDC fqdn, for good measure. +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name,DNS:${ENV::HOST_FQDN} + +[kdc_princ_name] +realm = EXP:0, GeneralString:${ENV::REALM} +principal_name = EXP:1, SEQUENCE:kdc_principal_seq + +[kdc_principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:kdc_principals + +[kdc_principals] +princ1 = GeneralString:krbtgt +princ2 = GeneralString:${ENV::REALM} + diff --git a/install/share/kdc_req.conf.template b/install/share/kdc_req.conf.template new file mode 100644 index 000000000..872852079 --- /dev/null +++ b/install/share/kdc_req.conf.template @@ -0,0 +1,14 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = $PASSWORD + +[ req_distinguished_name ] +$SUBJBASE +$CERTNAME + +[ req_attributes ] +challengePassword = A challenge password + -- cgit