In reading about the mit pkinit implementation
http://k5wiki.kerberos.org/wiki/Pkinit_configuration
i had some issues / questions on how to sign a globus certificate with
the additional extensions and not destroying the globus extensions. I am
using a adjusted version of the myproxy-admin-adduser script to force
some local needs.
...
@args = ("grid-cert-request", "-cn", $opt_c, "-prefix", $prefix, "-dir",
$tmp_dir_name, "-force" , "-ca" , "xxxxxxxxx");
push(@args, "-nopassphrase") if ($opt_n);
&runcmd(@args);
#grid-ca-sign
@args = ("grid-ca-sign", "-in", $reqfile, "-out", $certfile,
"-force","-extensions", "client_cert", "-extfile",
"/afs/pbcell/home/mcoyne/.globus/simpleCA/pkinit_extensions" );
if ($opt_p) {
push(@args, "-passin"); push(@args, $opt_p);
}
...
basicly setting the CLIENT and REALM environment variables to the user's
kerberos id and kerberos realm and adding the extfile to the options
for grid-ca-sign ..
when i do a grid-cert-info with the kerberized credential
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.4
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
1.3.6.1.4.1.3536.1.222: critical
0.0
..+.......
Signature Algorithm: md5WithRSAEncryption
...
where as a normal credential shows
...
X509v3 extensions:
Proxy Certificate Information: critical
Path Length Constraint: infinite
Policy Language: Inherit all
...
Which would appear to have overwritten the proxy extensions with the
kerberos rather than appending them?
WHat is the correct way to merge this or is it even possible? to get
mit's pkinit to work with globus credentials ?
