# Generate req for client $ pktool gencsr label=client outcsr=client.csr subject="CN=client" altname="KRB= xxxxx@xxxxx.COM" keyusage=digitalSignature,keyEncipherment,keyAgreement eku=KPClientAuth # Sign req for client $ pktool signcsr signkey=ca csr=client.csr serial=0x03 outcert=client.cert issuer="CN=ca" ## Extract the certs/keys into files $ pktool export objtype=cert outformat=pem label=ca outfile=ca.cert $ pktool export objtype=key outformat=pem label=client outfile=client.key The pkinit plugin (which uses openssl to read the certs) complains it can't find any SANs. If I look at client.cert using openssl I see the following: ... X509v3 Subject Alternative Name: 0...0...+.....0..ACME.COM.client ... If I generate the client cert using openssl as follows: $ openssl req -new -newkey rsa:1024 -keyout client.key -out client.req $ CLIENT=client REALM=ACME.COM openssl x509 -CAkey ca.key -CA ca.cert -CAserial ca.srl -CAcreateserial -req -in client.req -out client.cert -extfile extensions_pkinit.txt -extensions client_cert and dump the certificate I see this: ... X509v3 Subject Alternative Name: othername:<unsupported> ... I've attached extensions_pkinit.txt.
N/A
Terms of Use | Privacy | Trademarks | Copyright Policy | Site Guidelines | Site Map | HelpYour use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.Copyright © 1995-2009 Sun Microsystems, Inc.