Heimdal

January 10, 2009

Setting up PK-INIT with Heimdal

Filed under: Heimdal — lha @ 5:51 am

Setting up Heimdal with PK-INIT is very easy. Heimdal by itself contains all the tools so you can do the setup. We assume that you don’t have CA when we do the setup.

Some facts

The realm name we are going to use is EXAMPLE.ORG, the kdc is named kdc.example.org, the user is user@EXMAPLE.ORG.

Create the certificates needed

First we create the CA certificate. The create file ca.pem contains both private key and the certificate, you should make sure the private key is removed when distributing the certificate to clients and the KDC.

hxtool issue-certificate \
          --self-signed \
          --issue-ca \
          --generate-key=rsa \
          --subject="CN=CA,DC=example,DC=org" \
          --certificate="FILE:ca.pem"

Then the user’s certificate, here we add the PK-INIT options for a
PK-INIT client.

hxtool issue-certificate \
          --ca-certificate=FILE:ca.pem \
          --generate-key=rsa \
          --type="pkinit-client" \
          --pk-init-principal="user@EXAMPLE.ORG" \
          --subject="cn=user,DC=example,DC=org" \
          --certificate="FILE:user.pem"

Last we create the KDC’s certificate, here we add the PK-INIT options
for a PK-INIT client.

hxtool issue-certificate \
          --ca-certificate=FILE:ca.pem \
          --generate-key=rsa \
          --type="pkinit-kdc" \
          --pk-init-principal="krbtgt/EXAMPLE.ORG@EXAMPLE.ORG" \
          --subject="cn=kdc,DC=example,DC=org" \
          --certificate="FILE:kdc.pem"

Creating the database

Just for completeness we are including the setup of your KDC here

kadmin -l -r EXAMPLE.COM
kadmin> init EXAMPLE.ORG

Lets add our user to the database.

kadmin> add user
kadmin> modify --pkinit-acl=cn=user,DC=example,DC=org --attribute=+requires-pre-auth user

That all that needs to do to create the database and set up the user.

Setting up the KDC configuration

All KDC configuration is stored in /etc/krb5.conf (or /var/heimdal/kdc.conf), the content should contain this:

[kdc]
	enable-pkinit = true
	pkinit_identity = FILE:kdc.pem
	pkinit_anchors = FILE:ca.pem

Start the KDC

Start the KDC

/usr/heimdal/libexec/kdc --detach

Get tickets using PK-INIT

First we need to configure the trust anchors (what certificate authorities) to trust for the client.

[appdefaults]
	pkinit_anchors = FILE:ca.pem

Now we can get the ticket.

kinit -C FILE:user.pem user@EXAMPLE.COM

Powered by WordPress