Pkinit provides support for using public-key authentication with Kerberos. Pkinit is useful in the following situations:
- Using smart cards for Kerberos authentication
- Authentication based on soft tokens (or certificates stored on a computer) instead of passwords
- In conjunction with anonymous kerberos and FAST protecting password exchanges to remove the possibility of dictionary attacks
This article describes minimal Pkinit configuration for a KDC and clients. It assumes you already have a Kerberos realm functioning and that you have the openssl command available.
The following steps are involved:
- Setting up a certificate authority
- Generating a KDC certificate
- Generating client certificates
- Configuring the KDC and clients
Pkinit requires a public key infrastructure. The simplest use of Pkinit (anonymous kerberos requires a certificate authority (CA) certificate and a KDC certificate. The certificate authority certificate is known by all clients; any certificates signed by this certificate are trusted by the clients. The KDC certificate is signed by the certificate authority certificate (and thus trusted by the clients) and identifies the KDC.
If Pkinit is used with smart cards or for other forms of user authentication, then each user will need a certificate as well.
This document discusses how to set up Pkinit for the EXAMPLE.COM realm by hand. This sort of by-hand setup may be appropriate for anonymous usage. However if a realm is going to provide certificates to each client then some sort of automated certificate authority will be required to manage certificates. Configuring an automated certificate authority will depend on what certificate authority is chosen.
In this document we will use Open SSL to generate a simple self-signed certificate to use for the certificate authority.
First, generate a private key:
openssl genrsa -out cakey.pem 2048
This will generate a 2048-bit RSA key and write it to afile <ttcakey.pem</tt> In a production environment, this private key should be carefully protected. Now, generate the CA certificate:
openssl req -key cakey.pem -new -x509 -out cacert.pem
This command will ask for the name of the CA and output a CA certificate into cacert.pem using the previously generated key.
Generating Kerberos certificates
Kerberos certificates take advantage of two uncommon features of certificates. First, an extended key usage is used to indicate that the certificate should be used with Pkinit. An extended key usage is an object identifier placed in a certificate to indicate what the public key should be used for. Secondly, an otherName form of a subjectAlternativeName is used to describe the Kerberos principal associated with the certificate. An otherName is a way of including types of names in certificates that were not part of the original X.509 architecture. Unfortunately, including these elements in a certificate requires the use of an Open SSL extensions file. This file provides configuration for the certificate generation process. However the mechanisms for providing user data such as the name of the realm and the client principal to the otherName component are primitive.
This article includes a sample Open SSL extensions file; see #Extensions file. That file uses environment variables to set the client and realm name.
Generating KDC certificate
First, generate the KDC key:
openssl genrsa -out kdckey.pem 2048
Then, generate a certificate request
openssl req -new -out kdc.req -key kdckey.pem
Enter in the KDC name information. To generate the certificate:
REALM=EXAMPLE.COM; export REALM CLIENT=krbtgt; export CLIENT openssl x509 -req -in kdc.req -CAkey cakey.pem -out kdc.pem -extfile pkinit_extensions -extensions kdc-cert
This will generate kdc.pem a certificate for the KDC. The first two lines set environment variables used by the extensions file. The REALM variable should be set to the name of your realm.