kca

Now that Heimdal can generate certificates I added KCA functionallity to the KDC. KCA is a service that allows you to convert your Kerberos ticket into a X.509 certificate that have the same lifetime as your ticket, its a Kerberosized CA, hence the name, KCA. The wire-protocol in Heimdal in compatible with the orignal KCA/kx509.

Heimdals KCA service is built into the KDC. To configure the service you need to give it a CA certificate to sign the requests with and a template certificate. The KDC will replace variables in the Subject DN in the template certificate, currently there is only one variable, ${principal-name}. This will change in the future when I manged to push in more info into the HDB, like the users real name.

$ hxtool print FILE:template.pem
cert: 0
private key: yes
issuer:  "UID=${principal-name},DC=test,DC=h5l,DC=se"
subject: "UID=${principal-name},DC=test,DC=h5l,DC=se"
serial: 105CB1ACF89E6AFBDC6AF386684B9FEC652E3432
keyusage: keyEncipherment, digitalSignature

Currently there is no client nor documentation, that will change soon.

Talking about manuals, now there are uptodate (regenerated several times a day) manuals for Heimdal and hx509.