fredag 9 januari 2009

Setting up PK-INIT with Heimdal

Setting up Heimdal with PK-INIT is very easy. Heimdal by itself contains all the tools so you can do the setup. We assume that you don't have CA when we do the setup.

Some facts


The realm name we are going to use is EXAMPLE.ORG, the kdc is named kdc.example.org, the user is user@EXMAPLE.ORG.

Create the certificates needed


First we create the CA certificate. The create file ca.pem contains both private key and the certificate, you should make sure the private key is removed when distributing the certificate to clients and the KDC.
hxtool issue-certificate \
--self-signed \
--issue-ca \
--generate-key=rsa \
--subject="CN=CA,DC=example,DC=org" \
--certificate="FILE:ca.pem"

Then the user's certificate, here we add the PK-INIT options for a
PK-INIT client.

hxtool issue-certificate \
--ca-certificate=FILE:ca.pem \
--generate-key=rsa \
--type="pkinit-client" \
--pk-init-principal="user@EXAMPLE.ORG" \
--subject="cn=user,DC=example,DC=org" \
--certificate="FILE:user.pem"

Last we create the KDC's certificate, here we add the PK-INIT options
for a PK-INIT client.

hxtool issue-certificate \
--ca-certificate=FILE:ca.pem \
--generate-key=rsa \
--type="pkinit-kdc" \
--pk-init-principal="krbtgt/EXAMPLE.ORG@EXAMPLE.ORG" \
--subject="cn=kdc,DC=example,DC=org" \
--certificate="FILE:kdc.pem"

Creating the database


Just for completeness we are including the setup of your KDC here
kadmin -l -r EXAMPLE.COM
kadmin> init EXAMPLE.ORG

Lets add our user to the database.
kadmin> add user
kadmin> modify --pkinit-acl=cn=user,DC=example,DC=org --attribute=+requires-pre-auth user

That all that needs to do to create the database and set up the user.

Setting up the KDC configuration


All KDC configuration is stored in /etc/krb5.conf (or /var/heimdal/kdc.conf), the content should contain this:
[kdc]
enable-pkinit = true
pkinit_identity = FILE:kdc.pem
pkinit_anchors = FILE:ca.pem

Start the KDC


Start the KDC
/usr/heimdal/libexec/kdc --detach

Get tickets using PK-INIT


First we need to configure the trust anchors (what certificate authorities) to trust for the client.
[appdefaults]
pkinit_anchors = FILE:ca.pem

Now we can get the ticket.
kinit -C FILE:user.pem user@EXAMPLE.COM