logo_kerberos.gif

Kerberos for Windows (KfW) Build Environment

From K5Wiki
Revision as of 17:30, 22 April 2026 by Ghudson (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Directions for producing an environment in which to build Kerberos for Windows version 4.2

  • Install 64-bit Windows 10.
  • Install Visual Studio 2017 Community.
    • Check "Desktop development with C++".
    • Check "MFC and ATL support".
    • After installing, locate the Visual Studio 2017 menu under the start menu, and pin the x64 and x86 Native Tools Command Prompt entries to the task bar for e
  • Install the chocolatey package manager from https://chocolatey.org/install (by pasting the PowerShell command line into an administrative powershell). Install the following packages:
 choco install wixtoolset -y
 choco install strawberryperl -y
 choco install git -y -params '"/GitAndUnixToolsOnPath"'
 choco install emacs -y
 choco install windbg -y
  • Add wix to the path.
    • search for "environment" and run "Edit the system environment variables".
    • Click "environment variables" (button at bottom)
    • click on wix, copy value.
    • click on path, click edit, click new, paste value and add "\bin".
  • Choose a released version of OpenSSL (called X.Y.Z below) and build it:
 cd %homepath%
 git clone https://github.com/openssl/openssl
 cd openssl
 git checkout openssl-X.Y.Z
 perl Configure
 nmake
 nmake install
 set OPENSSL_DIR=C:\Program Files\OpenSSL
 set OPENSSL_VERSION=X
  • Follow the instructions in src/windows/README to perform a build. NODEBUG can be set in the environment ("set NODEBUG=1") to avoid having to specify it on the nmake command line each time. For MIT-specific builds, also "set MIT_INTERNAL=1" or specify it on the nmake command line when building the installer.
  • To sign an MSI file:
    • Connect a cryptographic token with FIPS support containing a code-signing certificate. If using VMWare Workstation, use VM > Removable Devices to pass through the token, disconnecting it from the host.
    • If it is a Yubikey token containing an ECC code-signing certificate, it may be necessary to install the YubiKey Smart Card Minidriver from https://www.yubico.com/support/download/smart-card-drivers-tools/ . Reconnect the Yubikey token after installing.
    • Verify that the certificate is visible to Windows using "certutil -store -user my".
    • Use the command:
 signtool sign /v /d "MIT Kerberos for Windows installer" /a /fd sha256 /tr http://timestamp.comodoca.com /td sha256 kfw.msi
  • To obtain a code-signing certificate (these steps are for a Debian-based Linux system):
    • Obtain a cryptographic token with FIPS support. These notes assume a YubiKey 5 NFC FIPS token.
    • Install the yubikey-manager package.
    • Generate a certificate request and attestation file as follows:
 ykman piv keys generate -a ECCP384 9a publickey
   (return to use default key)
 ykman piv keys attest 9a attest.crt
 ykman piv certificates request -s "MIT Code Signing" 9a publickey csr
   (enter default PIN 123456)
 ykman piv certificates export f9 intermediate.crt
 cat attest.crt intermediate.crt | base64 > attest.b64
    • Send mail to mitcert@mit.edu . They will generate an invitation link to cert-manager.com. When filling out the form, leave the SAN email field blank. Paste the csr file and the attest.b64 file into the form.
    • After issuance, choose the "Certificate (w/ issuer after), PEM" link from the resulting email message.
    • Import the certificate with "ykman piv certificates import 9a cert.pem" (where "cert.pem" is the downloaded file).

See also https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey .

More general KfW release engineering information at Kerberos for Windows Release Engineering.

Retrieved from "https://k5wiki.kerberos.org/wiki?title=Kerberos_for_Windows_(KfW)_Build_Environment&oldid=6066"