Using pktool to to create certificates for Kerberos PKINIT
Wyllys recently fixed a couple of bugs (6889730, 6889224,6887337) in KMF/pktool which means that finally pktool can be used to generate certificates for Kerberos PKINIT on Solaris. Up until now it was necessary to use OpenSSL with an extension file in order to create suitable certificates. pktool has this knowledge baked in!
Initialize keystore. If the softoken keystore hasn't been initialized use "changeme" as the passphrase.
$ pktool setpin Enter token passphrase: Create new passphrase: Re-enter new passphrase: Passphrase changed.
Generate ca cert.
$ pktool gencert label=ca subject="CN=ca" serial=0x01
Generate a certificate request for the KDC.
$ pktool gencsr label=kdc outcsr=kdc.csr subject="CN=kdc" \
altname="KRB=krbtgt/ACME.COM@ACME.COM" \
keyusage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement \
eku=KPKdc
Sign the KDC request.
$ pktool signcsr signkey=ca csr=kdc.csr serial=0x02 \
outcert=kdc.cert issuer="CN=ca"
Generate a certificate request for the client.
$ pktool gencsr label=client outcsr=client.csr \
subject="CN=client" altname="KRB=client@ACME.COM" \
keyusage=digitalSignature,keyEncipherment,keyAgreement \
eku=KPClientAuth
Sign the client request.
$ pktool signcsr signkey=ca csr=client.csr serial=0x03 \
outcert=client.cert issuer="CN=ca"
Extract the certs/keys into files.
$ pktool export objtype=cert outformat=pem label=ca \
outfile=ca.cert
$ pktool export objtype=key outformat=pem label=kdc \
outfile=kdc.key
$ pktool export objtype=key outformat=pem label=client \
outfile=client.key
For the KDC make sure that /etc/krb5/kdc.conf contains pointers to the certs and keys.
...
[realms]
ACME.COM = {
...
pkinit_anchors = FILE:/var/tmp/certs/ca.cert
pkinit_identity = FILE:/var/tmp/certs/kdc.cert,/var/tmp/certs/kdc.key
}
...
For the client /etc/krb5/krb5.conf can be modified or arguments passed to kinit
kinit -X X509_user_identity=FILE:/var/tmp/certs/client.cert,/var/tmp/certs/client.key -X X509_anchors=FILE:/var/tmp/certs/ca.cert client
