torsdag 15 februari 2007

kca

Now that Heimdal can generate certificates I added KCA functionallity to the KDC. KCA is a service that allows you to convert your Kerberos ticket into a X.509 certificate that have the same lifetime as your ticket, its a Kerberosized CA, hence the name, KCA. The wire-protocol in Heimdal in compatible with the orignal KCA/kx509.

Heimdals KCA service is built into the KDC. To configure the service you need to give it a CA certificate to sign the requests with and a template certificate. The KDC will replace variables in the Subject DN in the template certificate, currently there is only one variable, ${principal-name}. This will change in the future when I manged to push in more info into the HDB, like the users real name.
$ hxtool print FILE:template.pem
cert: 0
private key: yes
issuer:  "UID=${principal-name},DC=test,DC=h5l,DC=se"
subject: "UID=${principal-name},DC=test,DC=h5l,DC=se"
serial: 105CB1ACF89E6AFBDC6AF386684B9FEC652E3432
keyusage: keyEncipherment, digitalSignature

Currently there is no client nor documentation, that will change soon.

Talking about manuals, now there are uptodate (regenerated several times a day) manuals for Heimdal and hx509.
Upplagd av kl.
Etiketter:

1 kommentar:

  1. johnmyles10 februari 2025 kl. 03:49

    Great update! Adding KCA functionality to the KDC is a fantastic step forward. The ability to generate X.509 certificates directly from Kerberos tickets simplifies integration with PKI systems while maintaining security. It’s great to see Heimdal staying compatible with the original KCA/kx509 protocol. Thanks for sharing!
    contributing to the delinquency of a minor punishment

    SvaraRadera

Prenumerera på: Kommentarer till inlägget (Atom)