Lines Matching +full:non +full:- +full:secure +full:- +full:otp
6 <meta charset="utf-8" />
7 …<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" con…
13 …<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"><…
21 <link rel="next" title="OTP Preauthentication" href="otp.html" />
22 <link rel="prev" title="Backups of secure hosts" href="backup_host.html" />
24 <div class="header-wrapper">
34 <a href="backup_host.html" title="Backups of secure hosts"
36 <a href="otp.html" title="OTP Preauthentication"
42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT configuration">feedback</a>
47 <div class="content-wrapper">
55 <section id="pkinit-configuration">
56 <span id="pkinit"></span><h1>PKINIT configuration<a class="headerlink" href="#pkinit-configuration"…
62 <section id="creating-certificates">
63 <h2>Creating certificates<a class="headerlink" href="#creating-certificates" title="Permalink to th…
74 <section id="generating-a-certificate-authority-certificate">
75 …ate authority certificate<a class="headerlink" href="#generating-a-certificate-authority-certifica…
78 …hlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span…
79 …-</span><span class="n">key</span> <span class="n">cakey</span><span class="o">.</span><span class…
85 <code class="docutils literal notranslate"><span class="pre">-days</span></code>. Since the CA cer…
90 cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which
96 <section id="generating-a-kdc-certificate">
97 <h3>Generating a KDC certificate<a class="headerlink" href="#generating-a-kdc-certificate" title="P…
101 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[kdc_cert]
125 …hlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span…
126 …-</span><span class="n">new</span> <span class="o">-</span><span class="n">out</span> <span class=…
127 …span> <span class="n">x509</span> <span class="o">-</span><span class="n">req</span> <span class="…
128 …-</span><span class="n">CAkey</span> <span class="n">cakey</span><span class="o">.</span><span cla…
129 …-</span><span class="n">extfile</span> <span class="n">extensions</span><span class="o">.</span><s…
136 …e number after <code class="docutils literal notranslate"><span class="pre">-days</span></code>. …
142 … class="pre">openssl</span> <span class="pre">x509</span> <span class="pre">-in</span> <span class…
143 <span class="pre">-text</span> <span class="pre">-noout</span></code>, OpenSSL will not know how to…
148 <section id="generating-client-certificates">
149 <h3>Generating client certificates<a class="headerlink" href="#generating-client-certificates" titl…
152 single-component principal name, you will need an extensions file
154 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[client_cert]
177 …hlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span…
178 …-</span><span class="n">new</span> <span class="o">-</span><span class="n">key</span> <span class=…
180 …-</span><span class="n">CAkey</span> <span class="n">cakey</span><span class="o">.</span><span cla…
181 …<span class="o">-</span><span class="n">extensions</span> <span class="n">client_cert</span> <span…
182 …<span class="o">-</span><span class="n">days</span> <span class="mi">365</span> <span class="o">-<…
193 changing the number after <code class="docutils literal notranslate"><span class="pre">-days</span>…
206 multi-component principal name.) For a two-component principal, the
208 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[principals]
217 <section id="configuring-the-kdc">
218 <h2>Configuring the KDC<a class="headerlink" href="#configuring-the-kdc" title="Permalink to this h…
221 …class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kd…
222 …td std-ref">[kdcdefaults]</span></a> section or in a <a class="reference internal" href="conf_file…
224 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
231 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
236 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
239 …s="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5…
241 <p>The principal entry for each PKINIT-using client must be configured to
243 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
246 <p>Starting with release 1.12, it is possible to remove the long-term
248 and help to clarify some PKINIT-related error conditions by not asking
250 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span…
255 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span…
265 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
269 …ass="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">kr…
270 use of non-PKINIT client certificates, it will also be necessary to
273 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p"…
278 <section id="configuring-the-clients">
279 <h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink t…
283 …ass="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">kr…
284 …rence internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span><…
285 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
292 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
298 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
311 …-conf-5"><span class="std std-ref">krb5.conf</span></a> file in the appropriate <a class="referenc…
313 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
319 <section id="anonymous-pkinit">
320 <span id="id1"></span><h2>Anonymous PKINIT<a class="headerlink" href="#anonymous-pkinit" title="Per…
337 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span…
347 …class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[r…
348 <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">…
349 …docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-n</span></code>, or
350 <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-n</spa…
353 <section id="freshness-tokens">
354 <h2>Freshness tokens<a class="headerlink" href="#freshness-tokens" title="Permalink to this headlin…
364 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n"…
371 …-realms"><span class="std std-ref">[realms]</span></a> subsection of the KDC’s <a class="reference…
372 …utils literal notranslate"><span class="pre">kinit</span> <span class="pre">-X</span> <span class=…
388 <li><a class="reference internal" href="#creating-certificates">Creating certificates</a><ul>
389 <li><a class="reference internal" href="#generating-a-certificate-authority-certificate">Generating…
390 <li><a class="reference internal" href="#generating-a-kdc-certificate">Generating a KDC certificate…
391 <li><a class="reference internal" href="#generating-client-certificates">Generating client certific…
394 <li><a class="reference internal" href="#configuring-the-kdc">Configuring the KDC</a></li>
395 <li><a class="reference internal" href="#configuring-the-clients">Configuring the clients</a></li>
396 <li><a class="reference internal" href="#anonymous-pkinit">Anonymous PKINIT</a></li>
397 <li><a class="reference internal" href="#freshness-tokens">Freshness tokens</a></li>
405 <li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
406 <li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</…
407 <li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
408 <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Fil…
409 <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration d…
410 <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</…
411 <li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
412 <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
413 <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos wit…
414 <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</…
415 <li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a>…
416 <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure host…
417 <li class="toctree-l2 current"><a class="current reference internal" href="#">PKINIT configuration<…
418 <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
419 <li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a><…
420 <li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary a…
421 <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS<…
422 <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
423 <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a…
424 <li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indi…
425 <li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administratio…
426 <li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defa…
427 <li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variable…
428 <li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></…
429 <li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a>…
430 <li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
433 <li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application de…
434 <li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin modu…
435 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V…
436 <li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concept…
437 <li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and fil…
438 <li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos feat…
439 <li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this do…
440 <li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT K…
441 <li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
459 <div class="footer-wrapper">
462 © <a href="../copyright.html">Copyright</a> 1985-2024, MIT.
468 <a href="backup_host.html" title="Backups of secure hosts"
470 <a href="otp.html" title="OTP Preauthentication"
476 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT configuration">feedback</a>