06 jun 2014 greetings,
>> as you can see, the expected kdc extensions appeared in the output >> certificate, but they contained no data or invalid data. >Are you judging that by the following output? >> X509v3 Subject Alternative Name: >> othername:<unsupported> >I see the same thing in test KDC certificates. It just means that >OpenSSL doesn't know how to display that type of SAN. oh. considering all the specs in the extensions file, i expected to see the text version of my realm name and/or principal name. it threw me when i saw <EMPTY> and <unsupported> for the X509v3 Issuer Alternative Name and X509v3 Subject Alternative Name. thank you for the data. i'll try to create and use certificates, and see how krb5 reacts to them in use. >> pkinit_mapping_file >> >> Specifies the name of the ACL pkinit mapping file. This file >> maps principals to the certificates that they can use. >As it turns out, there is no mapping file support. All the code does is >read the filename into a structure field and ignore it. I've submitted >a pull request to eliminate the skeleton of this feature so it doesn't >confuse anyone else. *rofl'ing* trust me to try to use a feature nobody else wanted. i thought it might be a fallback solution to my issue with principal recognition, especially if i somehow garbled my openssl certificates. if i remember correctly, i may be back with additional data and issues with krb5 and pkinit, but i need to recheck my tests. thank you for your time and assistance. frank smith -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
