diff options
| author | Simo Sorce <ssorce@redhat.com> | 2010-10-29 16:23:21 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2010-11-18 15:09:36 -0500 |
| commit | 52a46d121bf760f6beca4622ace0a4554a679c3c (patch) | |
| tree | 550a2bddf9ab3848da9ab33ca73529060b9e4c68 /install/share/kdc_extensions.template | |
| parent | 74ba0cc7c1bdb9c560324a68c16593755bcda5d8 (diff) | |
| download | freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.tar.gz freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.tar.xz freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.zip | |
Add support for configuring KDC certs for PKINIT
This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
Diffstat (limited to 'install/share/kdc_extensions.template')
| -rw-r--r-- | install/share/kdc_extensions.template | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/install/share/kdc_extensions.template b/install/share/kdc_extensions.template new file mode 100644 index 000000000..df992babd --- /dev/null +++ b/install/share/kdc_extensions.template @@ -0,0 +1,32 @@ +[ kdc_cert ] +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +#Pkinit EKU +extendedKeyUsage = 1.3.6.1.5.2.3.5 + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# Copy subject details + +issuerAltName=issuer:copy + +# Add id-pkinit-san (pkinit subjectAlternativeName) +# Also add the KDC fqdn, for good measure. +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name,DNS:${ENV::HOST_FQDN} + +[kdc_princ_name] +realm = EXP:0, GeneralString:${ENV::REALM} +principal_name = EXP:1, SEQUENCE:kdc_principal_seq + +[kdc_principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:kdc_principals + +[kdc_principals] +princ1 = GeneralString:krbtgt +princ2 = GeneralString:${ENV::REALM} + |