RHEL IdM PKINIT KDC certificate and extensions
Environment
RHEL and IdM / IPA
Issue
What are the extensions and OIDs needed to create a valid "RHEL IdM / IPA" PKINIT KDC certificate?
Resolution
An IPA KDC PKINIT certificate should ideally contain the following 7 extensions, after the subject DN, validity dates, and subject public key algorithm, key size, and signature algorithm:
- must have: subject DN in the form of CN=fqdn,$SUBJECT_BASE or CN=[^,]+,.+ , example:
Subject: CN=ipaserver1.idm.example.test,O=IDM.EXAMPLE.TEST
- Validity dates: for example 2 years
- Subject public key algorithm and key size, for example RSA 2Kbits
- Signature algorithm, for example RSA-SHA256
extensions list with OIDs:
- optionnal but recommended: Certificate Authority Key Identifier, with a key ID of the issuer, not critical
- optionnal but recommended: Certificate Subject Key ID, with a key ID, not critical
- must have: Certificate Key Usage, critical
A keyUsage extension which includes the digitalSignature usage. DigitalSignature is required if keyUsage is present.
Critical: True
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
- must have: Extended Key Usage / EKU , not critical
id-kp-serverAuth with OID 1.3.6.1.5.5.7.3.1 for "TLS Web Server Authentication Certificate"
id-pkinit-KPKdc / keyPurposeKdc / Signing KDC Response , with OID 1.3.6.1.5.2.3.5
- must have: Certificate Subject Alt Name / SAN / OID 2.5.29.17 , not critical
should contain:
- a Kerberos principalname / id-pkinit-san / OID 1.3.6.1.5.2.2 for the SAN value, with the 3 components of the KRB5Principal encoded separately
- a SAN value that relates to the OID 1.3.6.1.4.1.311.20.2.3 / User Principal Name / UPN , contains the Kerberos principalname or KRB5Principal
Other Name: "krbtgt/IDM.EXAMPLE.TEST@IDM.EXAMPLE.TEST"
- optionnal but recommended: Authority Information Access / AIA , not critical
Method: PKIX Online Certificate Status Protocol / OID 1.3.6.1.5.5.7.48.1 / id-pkix-ocsp / id-ad-ocsp
Location: URI: "http://ipa-ca.idm.example.test/ca/ocsp"
- optionnal but recommended: CRL Distribution Points, not critical
Distribution point:
URI: "http://ipa-ca.idm.example.test/ipa/crl/MasterCRL.bin"
CRL issuer:
Directory Name: "CN=Certificate Authority,O=ipaca"
Root Cause
Need to detail all the extensions and OIDs needed to create a valid "RHEL IdM / IPA" PKINIT KDC certificate.
Diagnostic Steps
List OIDs references, run certutil to interpret certificate information, dumpasn1 to show OIDs of existing IPA certificate, review PKI enrollment profile for PKINIT certificates:
Short OID Reference with comments:
- 2.5.29.17 / Subject alternative name / SAN / subjectAltName extension / RFC 5280
- 1.3.6.1.5.2.2 / id-pkinit-san / RFC 4556
- The subjectAltName extension field can hold otherName values tagged by OIDs.
This OID is used to mark a subjectAltName value which is a structured representation of a Kerberos principal name, and is what clients and servers which comply with RFC 4556 will typically expect to be present.
- In this structured form, the principal name includes the principal's name type, which is typically KRB_NT_PRINCIPAL(1) or KRB_NT_UNKNOWN(0). In practice, Unix-based clients ignore the name type.
This is the realm's ticket granting service's principal name "krbtgt/REALM@REALM" as an id-pkinit-san SAN value, for Linux clients and KDCs.
- 1.3.6.1.4.1.311.20.2.3 / User Principal Name / UPN / Microsoft NT Principal Name / id-ms-san-sc-logon-upn / RFC 4556
- The subjectAltName / SAN extension field can hold otherName values tagged by OIDs.
This OID is used to mark a subjectAltName value which is a UTF8-formatted principal name, and is what a Windows-based domain controller will default to using when attempting to determine if a certificate is bound to a specific user account.
- In its string form, the principal name doesn't have a principal name type specified with it.
Some implementations treat this as an enterprise-name, which is always subject to canonicalization, while others treat it as if it were any other principal name.
- 1.3.6.1.5.5.7.3.1 / Transport Layer Security (TLS) World Wide Web (WWW) server authentication / RFC 5280
This extendedKeyUsage extension may be interpreted as "TLS Web Server Authentication Certificate" or "TLS WWW Server".
This is an alternate way of identifying a KDC, for Linux clients and KDCs.
- 1.3.6.1.5.2.3.5 / id-pkinit-KPKdc / RFC 4556
- This extendedKeyUsage value for the "Key Purpose" is, by default:
- expected to be present in a certificate that is used by a KDC offering PKINIT services which comply with RFC4556,
- and used to indicate that the certificate is meant to be used by an SSL/TLS-using client.
It is commonly included in multi-purpose client certificates.
For Linux clients and KDCs
- 1.3.6.1.5.5.7.3.4 / id-kp-emailProtection / RFC 5280
- This extendedKeyUsage value is, by default, used to indicate that the certificate is meant to be used by a client for signing and/or encrypting email.
It is commonly included in multi-purpose client certificates.
- 1.3.6.1.5.5.7.48.1 / id-pkix-ocsp / id-ad-ocsp / RFC 7299 and 3280
- 1.3.6.1.4.1.311.20.2.2 / id-ms-kp-sc-logon / Microsoft KP SmartCard Logon / RFC 4556
- This extendedKeyUsage value is, by default, expected to be present in a client certificate that is used for PKINIT against a Windows-based domain controller.
Example:
Extensions:
Authority Key Identifier (not critical):
2b6ebd1d8c1f61f31744999498e66966dd75b18f
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://ipa-ca.idm.example.test/ca/ocsp
Key Usage (critical):
Digital signature.
Non repudiation.
Key encipherment.
Data encipherment.
Key Purpose (not critical):
TLS WWW Server.
1.3.6.1.5.2.3.5
CRL Distribution points (not critical):
URI: http://ipa-ca.idm.example.test/ipa/crl/MasterCRL.bin
Subject Key Identifier (not critical):
19312b724a80dd8e8a01d7f17ad5723568284ee5
Subject Alternative Name (not critical):
otherName OID: 1.3.6.1.4.1.311.20.2.3
otherName DER: 0c286b72627467742f49444d2e4558414d504c452e544553544049444d2e4558414d504c452e54455354
otherName ASCII: .(krbtgt/IDM.EXAMPLE.TEST@IDM.EXAMPLE.TEST
KRB5Principal: krbtgt/IDM.EXAMPLE.TEST@IDM.EXAMPLE.TEST
Note: the SAN ASN.1 encoding appeared as:
796 142: SEQUENCE {
799 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
: (X.509 id-ce (2 5 29))
804 134: OCTET STRING, encapsulates {
807 131: SEQUENCE {
810 56: [0] {
812 10: OBJECT IDENTIFIER '1 3 6 1 4 1 311 20 2 3'
824 42: [0] {
826 40: UTF8String 'krbtgt/IDM.EXAMPLE.TEST@IDM.EXAMPLE.TEST'
: }
: }
868 71: [0] {
870 6: OBJECT IDENTIFIER '1 3 6 1 5 2 2'
878 61: [0] {
880 59: SEQUENCE {
882 18: [0] {
884 16: GeneralString 'IDM.EXAMPLE.TEST'
: }
902 37: [1] {
904 35: SEQUENCE {
906 3: [0] {
908 1: INTEGER 1
: }
911 28: [1] {
913 26: SEQUENCE {
915 6: GeneralString 'krbtgt'
923 16: GeneralString 'IDM.EXAMPLE.TEST'
: }
: }
: }
: }
: }
: }
: }
When the IPA server packages are installed, there is a default IPA PKI enrollment configuration file provided by the package called ipa-server-common, called /usr/share/ipa/profiles/KDCs_PKINIT_Certs.cfg
Those enrollment profiles are then loaded into the IPA LDAP backend, and the ipa command lile tool can be used to access, import profiles ( ipa certprofile-import , caacl-add , caacl-add-profile , and ipa cert-request )
That file can be read as an example to show the exact details, it is optionally used by IPA embedded Dogtag PKI server, it has 11 policies that includes the required extensions:
Example from RHEL-7.8:
less /usr/share/ipa/profiles/KDCs_PKINIT_Certs.cfg
...
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
...
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
...
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
...
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
...
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
...
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
...
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
...
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5
...
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.name=Signing Alg
...
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
...
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
...
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
Other note: the SAN extension data is provided in Dogtag as an "user provided" extension in the CSR / cert request, example of encoding of that extension:
o4H0MIHxMIGOBgNVHREEgYYwgYOgOAYKKwYBBAGCNxQCA6AqDChrcmJ0Z3QvSURN
LkVYQU1QTEUuVEVTVEBJRE0uRVhBTVBMRS5URVNUoEcGBisGAQUCAqA9MDugEhsQ
SURNLkVYQU1QTEUuVEVTVKElMCOgAwIBAaEcMBobBmtyYnRndBsQSURNLkVYQU1Q
TEUuVEVTVDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQZMStySoDdjooB1/F61XI1
aChO5TAxBgkrBgEEAYI3FAIEJB4iAEsARABDAHMAXwBQAEsASQBOAEkAVABfAEMA
ZQByAHQAcw==
0 244: [3] {
3 241: SEQUENCE {
6 142: SEQUENCE {
9 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
: (X.509 id-ce (2 5 29))
14 134: OCTET STRING, encapsulates {
17 131: SEQUENCE {
20 56: [0] {
22 10: OBJECT IDENTIFIER '1 3 6 1 4 1 311 20 2 3'
34 42: [0] {
36 40: UTF8String 'krbtgt/IDM.EXAMPLE.TEST@IDM.EXAMPLE.TEST'
: }
: }
78 71: [0] {
80 6: OBJECT IDENTIFIER '1 3 6 1 5 2 2'
88 61: [0] {
90 59: SEQUENCE {
92 18: [0] {
94 16: GeneralString 'IDM.EXAMPLE.TEST'
: }
112 37: [1] {
114 35: SEQUENCE {
116 3: [0] {
118 1: INTEGER 1
: }
121 28: [1] {
123 26: SEQUENCE {
125 6: GeneralString 'krbtgt'
133 16: GeneralString 'IDM.EXAMPLE.TEST'
: }
: }
: }
: }
: }
: }
: }
: }
: }
: }
151 12: SEQUENCE {
153 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
: (X.509 id-ce (2 5 29))
158 1: BOOLEAN TRUE
161 2: OCTET STRING, encapsulates {
163 0: SEQUENCE {}
: }
: }
165 29: SEQUENCE {
167 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
: (X.509 id-ce (2 5 29))
172 22: OCTET STRING, encapsulates {
174 20: OCTET STRING
: 19 31 2B 72 4A 80 DD 8E 8A 01 D7 F1 7A D5 72 35
: 68 28 4E E5
: }
: }
196 49: SEQUENCE {
198 9: OBJECT IDENTIFIER '1 3 6 1 4 1 311 20 2'
209 36: OCTET STRING, encapsulates {
211 34: BMPString ''
: }
: }
: }
: }
Product(s)
Components
Category
Tags
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.