search

chris2511 / xca

X Certificate and Key management
http://xca.hohnstaedt.de
Other
1.48k stars 201 forks source link

Using XCA with Kerberos PKINIT #195

Closed rtvd closed 5 days ago

rtvd commented 4 years ago

It would be nice to have an ability to use XCA with Kerberos PKINIT. https://k5wiki.kerberos.org/wiki/Pkinit_configuration

This would involve being able to issue certificates for Kerberos KDC and for Kerberos principals.

The issue is that the required attributes are quite fancy. The example OpenSSL configuration looks like this:

[ kdc_cert ]
basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement

#Pkinit EKU
extendedKeyUsage = 1.3.6.1.5.2.3.5

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# Copy subject details

issuerAltName=issuer:copy

# Add id-pkinit-san (pkinit subjectAlternativeName)
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name

[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals

[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}

[ client_cert ]

# These extensions are added when 'ca' signs a request.

basicConstraints=CA:FALSE

keyUsage = digitalSignature, keyEncipherment, keyAgreement

extendedKeyUsage =  1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name

# Copy subject details

issuerAltName=issuer:copy

[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals

[principals]
princ1 = GeneralString:${ENV::CLIENT}
KJarek commented 2 months ago

A valid work-around is to go into Advanced -> Edit when creating a new certificate and use the relevant part of the configuration you've posted:

subjectAltName = @subjectAltName_sect

[subjectAltName_sect]
otherName.0 = 1.3.6.1.5.2.2;SEQUENCE:princ_name

[princ_name]
realm = EXP:0, GeneralString:REALM
principal_name = EXP:1, SEQUENCE:principal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals

[principals]
princ1 = GeneralString:username

Adjust REALM and username according to your needs. If you need a certificate for a service, expand the [principals] section like this:

[principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:REALM

Maybe it will be useful for someone :-)