> My understanding is KX.509 uses a KCA server to generate the X.509 > certificates off of a kerberos backend. (I'm confident there's > something at least mildly technically wrong with that statement). Does > anyone here have experience setting up the KCA server? I'd be most > thankful to hear any sort of reports on how difficult it was to set up.
We (Fermilab) operate a Kerberos-based single-signon system using an array of MIT-Kerberos-based KDCs (key distribution centers, one Master and multiple slaves to spread the load) as well as trust relations with the Windows Active Domain. I mention this to point out that we make extensive use of Kerberos. We also operate a pair of KCAs (Kerberos Certificate Authorities). One obtains a Kerberos ticket (kinit) and then uses kx509 to get a certificate based on holding this ticket. We operate a pair of KCAs to spread the load and provide redundancy. Our KCAs are under heavy load due to extensive use of KCA certificates for Grid computing by the CDF experiment (for instance). Visit our Security web pages at http://security.fnal.gov/ to learn more. -- = Dr. Frank J. Nagy [Applied Scientist] = Fermilab Computing Division/Computer Security Team = [EMAIL PROTECTED] (Alt: [EMAIL PROTECTED] or [EMAIL PROTECTED]) = Web page: http://home.fnal.gov/~nagy/ = Feynman Computing FCC358 630-840-4935 FAX 840-8208 = USnail: Fermilab POB 500 MS/3699 Batavia, IL 60510 = ICBM: 41d 50m 14s N, 88d 15m 48s W, 741 ft ASL ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
