directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <>
Subject RE: PKINIT client support
Date Tue, 23 Feb 2016 02:12:49 GMT
I thought Jiajia could elaborate some bit about what's exactly the gaps to fill for the full
PKINIT support.


-----Original Message-----
From: Zheng, Kai [] 
Sent: Tuesday, February 23, 2016 9:04 AM
To: Apache Directory Developers List <>;
Subject: RE: PKINIT client support

Hi Lloyd,

Thanks for the interesting and trying! Unfortunately, right now only Anonymous PKINIT is done.
The RSA case is still on the going but I believe it's quite approaching to the completion.
The community is busy with other things of higher priority like RC2 releasing, GSSAPI support
and kadmin-remote support, and very probably we'll be back to the PKINIT completing after
some time. Please let we know if this sounds good or not for your case, and stay tuned. Thanks.


-----Original Message-----
From: Lloyd Evans [] 
Sent: Tuesday, February 23, 2016 8:56 AM
To: Apache Directory Developers List <>
Subject: PKINIT client support

Hi All,

I was hoping to use the client API in Kerby to write some Java code that will connect to an
MIT Kerberos server using PKINIT — specifically, I have a user certificate and key, and
want to obtain first a TGT, and then a service ticket. Have tried the following idea (using
Kerby from the ‘trunk’ branch):

	KrbClient client = new KrbClient();


	KOptions requestOptions = new KOptions();
	requestOptions.add(KrbOption.CLIENT_PRINCIPAL, principal);

		// cert and key load ok (are not null), but seem to be ignored
		Certificate certificate = readCertificateFile(pemFile);
		requestOptions.add(PkinitOption.X509_CERTIFICATE, certificate);

		PrivateKey privateKey = readPrivateKeyFile(keyFile);
		requestOptions.add(PkinitOption.X509_PRIVATE_KEY, privateKey);
	} else {
		// identity string set to “/path/to/pem,/path/to/pkcs8key"
		requestOptions.add(PkinitOption.X509_IDENTITY, pathTo(pemFile) + "," + pathTo(keyFile));

	TgtTicket tgt = client.requestTgt(requestOptions);

but the server keeps complaining that “received_cert is null”, which I assume means the
user cert is not being included in the request. Can anyone tell me if either (1) what I want
to do isn’t really implemented yet, or (2) I am missing something.

 - Lloyd

View raw message