Keeping our own certificates up to date on the various types of clients is messy enough that we gave up on that.
The only thing we would actually use it for is kinit -n, to bootstrap kinit for OTP. While kinit -n would be the most elegant way to do it, we have several other approaches. Documentation seems to say that if pkinit_eku_checking is set to kpServerAuth, we don't need the extension. I've found that kinit -n actually does work when the client sets this. However I have to install the certificates manually on the KDC, since the command won't do it. ________________________________ From: Fraser Tweedale <[email protected]> Sent: Sunday, June 19, 2022 11:34 PM To: Charles Hedrick <[email protected]>; Rob Crittenden via FreeIPA-users <[email protected]> Cc: Rob Crittenden <[email protected]> Subject: Re: [Freeipa-users] Re: ipa-server-certinstall -k On Wed, Jun 15, 2022 at 04:23:30PM -0400, Rob Crittenden via FreeIPA-users wrote: > Charles Hedrick via FreeIPA-users wrote: > > the error is > > > > The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC > > A PKINIT certificate needs an EKU extension, > https://datatracker.ietf.org/doc/html/rfc4556 > > When generating the key with OpenSSL you need to include "-extensions > kdc_cert" > It's unlikely that publicly trusted CAs will issue certs with id-pkinit-KPKdc in EKU. CABForum Baseline Requirements[1] 7.1.2.3(f) says: Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present. Other values SHOULD NOT be present. [1]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf Charles, you might need to use a certificate issued directly by the IPA CA for your KDC, or else do without PKINIT. Thanks, Fraser > > > > > > > ------------------------------------------------------------------------ > > *From:* Charles Hedrick via FreeIPA-users > > <[email protected]> > > *Sent:* Wednesday, June 15, 2022 3:39 PM > > *To:* [email protected] > > <[email protected]> > > *Cc:* Charles Hedrick <[email protected]> > > *Subject:* [Freeipa-users] ipa-server-certinstall -k > > > > ipa-server-certinstall works fine for http and ldap. But I can't get the > > -k option to work. > > > > I've tried cert.pem and privkey.pem with and without chain.pem, as well > > as fullchain.pem and privkey.pem (fullchain has both the cert and the > > chain). > > > > The certs were issued by Internet2, which chains up to addtrust. > > > > kinit -n works fine if I install the pem files manually, so presumably > > my files are valid. > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
