blob: e095327b919f6e1ea2efc01b2641d7e40eb13111 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
Experimental features:
1. If you want trustedCertifiers to be sent by the client, then set
X509_CA_BUNDLE to a ca-bundle file.
2. If you want to make our KDC act like a draft9 KDC, then modify pkinit_src.c
file. there is an "#if 0" for "supported_server_pa_types". if you change "if 0"
to "if 1", then the kdc will become draft9-only KDC.
3. If you like more debugging output, add "-DDEBUG" to CFLAGS and recompile
the code.
4. If you are debugging ASN1 encoding, add "-DDEBUG_ASN1" to CFLAGS and
recompile the code. After running, you'll get DER encoded structures stored
in /tmp. For example, /tmp/client_as_req will contains DER encoding of the
pkinit part of the AS-REQ.
5. Prior to having config options that manage EKU/SAN/CRL checking, you can
modify pkinit_lib.c in function pkinit_lib_init(), set
plgctx->require_eku = 1 -- will require presence of EKU in certs
plgctx->require_san = 1 -- will require presence of SAN in KDC's cert
plgctx->require_crl_checking = 1 -- will require presence of CRLs to
verify every certificate
|
