Some facts
The realm name we are going to use is EXAMPLE.ORG, the kdc is named kdc.example.org, the user is user@EXMAPLE.ORG.
Create the certificates needed
First we create the CA certificate. The create file ca.pem contains both private key and the certificate, you should make sure the private key is removed when distributing the certificate to clients and the KDC.
hxtool issue-certificate \
--self-signed \
--issue-ca \
--generate-key=rsa \
--subject="CN=CA,DC=example,DC=org" \
--certificate="FILE:ca.pem"
Then the user's certificate, here we add the PK-INIT options for a
PK-INIT client.
hxtool issue-certificate \
--ca-certificate=FILE:ca.pem \
--generate-key=rsa \
--type="pkinit-client" \
--pk-init-principal="user@EXAMPLE.ORG" \
--subject="cn=user,DC=example,DC=org" \
--certificate="FILE:user.pem"
Last we create the KDC's certificate, here we add the PK-INIT options
for a PK-INIT client.
hxtool issue-certificate \
--ca-certificate=FILE:ca.pem \
--generate-key=rsa \
--type="pkinit-kdc" \
--pk-init-principal="krbtgt/EXAMPLE.ORG@EXAMPLE.ORG" \
--subject="cn=kdc,DC=example,DC=org" \
--certificate="FILE:kdc.pem"
Creating the database
Just for completeness we are including the setup of your KDC here
kadmin -l -r EXAMPLE.COM
kadmin> init EXAMPLE.ORG
Lets add our user to the database.
kadmin> add user
kadmin> modify --pkinit-acl=cn=user,DC=example,DC=org --attribute=+requires-pre-auth user
That all that needs to do to create the database and set up the user.
Setting up the KDC configuration
All KDC configuration is stored in /etc/krb5.conf (or /var/heimdal/kdc.conf), the content should contain this:
[kdc]
enable-pkinit = true
pkinit_identity = FILE:kdc.pem
pkinit_anchors = FILE:ca.pem
Start the KDC
Start the KDC
/usr/heimdal/libexec/kdc --detach
Get tickets using PK-INIT
First we need to configure the trust anchors (what certificate authorities) to trust for the client.
[appdefaults]
pkinit_anchors = FILE:ca.pem
Now we can get the ticket.
kinit -C FILE:user.pem user@EXAMPLE.COM
