Using pktool to to create certificates for Kerberos PKINIT

Wyllys recently fixed a couple of bugs (6889730, 6889224,6887337) in KMF/pktool which means that finally pktool can be used to generate certificates for Kerberos PKINIT on Solaris. Up until now it was necessary to use OpenSSL with an extension file in order to create suitable certificates. pktool has this knowledge baked in!

Initialize keystore. If the softoken keystore hasn't been initialized use "changeme" as the passphrase.

$ pktool setpin
Enter token passphrase:
Create new passphrase:
Re-enter new passphrase:
Passphrase changed.

Generate ca cert.

$ pktool gencert  label=ca subject="CN=ca" serial=0x01

Generate a certificate request for the KDC.

$ pktool gencsr label=kdc outcsr=kdc.csr subject="CN=kdc" \\ 
      altname="KRB=krbtgt/ACME.COM@ACME.COM" \\
      keyusage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement \\
      eku=KPKdc

Sign the KDC request.

$ pktool signcsr signkey=ca csr=kdc.csr serial=0x02 \\
      outcert=kdc.cert issuer="CN=ca"

Generate a certificate request for the client.

$ pktool gencsr label=client outcsr=client.csr \\
      subject="CN=client" altname="KRB=client@ACME.COM" \\
      keyusage=digitalSignature,keyEncipherment,keyAgreement \\
      eku=KPClientAuth

Sign the client request.

$ pktool signcsr signkey=ca csr=client.csr serial=0x03 \\
      outcert=client.cert issuer="CN=ca"

Extract the certs/keys into files.

$ pktool export objtype=cert outformat=pem label=ca \\
      outfile=ca.cert  
$ pktool export objtype=key outformat=pem label=kdc \\
      outfile=kdc.key
$ pktool export objtype=key outformat=pem label=client \\
      outfile=client.key

For the KDC make sure that /etc/krb5/kdc.conf contains pointers to the certs and keys.

...
[realms]
    ACME.COM = {
        ...
        pkinit_anchors = FILE:/var/tmp/certs/ca.cert
        pkinit_identity = FILE:/var/tmp/certs/kdc.cert,/var/tmp/certs/kdc.key
    }
...

For the client /etc/krb5/krb5.conf can be modified or arguments passed to kinit

kinit -X X509_user_identity=FILE:/var/tmp/certs/client.cert,/var/tmp/certs/client.key -X X509_anchors=FILE:/var/tmp/certs/ca.cert client

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

mbp

Search

Categories
Archives
« July 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
   
       
Today