[kmf-discuss] Proposed pktool changes

Wyllys Ingersoll wyllys.ingersoll at sun.com
Fri Jan 11 07:13:51 PST 2008 

Hai-May Chao wrote:
> Wyllys Ingersoll wrote:
>> Below are the proposed changes to pktool needed to support Kerberos 
>> PKINIT
>> and some the SSH certficate changes.
>>
>> One feature missing from pktool is the ability to add EKU values when 
>> creating
>> a cert or CSR, I will propose adding a new attr/value pair command 
>> line arg to
>> support this.
>>
>> Ex:
>>    ekuname=[[critical:]EKU Name,[critical:]EKU Name,...]
>>    where EKU Name = serverAuth | clientAuth |
>>                     codeSigning | emailProtection |
>>                     ipsecEndSystem | ipsecTunnel |
>>                     ipsecUser | timeStamping |
>>                     OCSPSigning | KPClientAuth | KPKdc
>>
>>   
>
> The proposed EKU attr command arg looks good.
> Should the new SCLogon be added to the above list of EKU names?

Yes, I forgot to add that one above, I will include it in the final draft.


>> pktool signcsr
>>  signkey=label/filename of signing key (label if keystore=PKCS11 or 
>> NSS, filename if file)
>>  csr=CSR filename
>>  serial=serial number hex string
>>  outcert=filename for resulting certificate.
>>  [issuer=issuer-DN]             ( DN to use for issuer field.  Not 
>> needed if a the key
>>                                   has an associated certificate in 
>> the keystore.  The subject
>>                                   of the associated cert will be the 
>> issuer of the new one )
>>  [keystore=pkcs11|file|nss]     ( PKCS11 is default )
>>  [token=token[:manuf[:serial]]] ( PKCS11 token name, default is to 
>> use metaslot )
>>  [format=pem|der]               ( format of output cert, PEM is default)
>>  [subject=subjectDN]            ( override the subject in the 
>> original request )
>>  [store=y|n]                    ( store the new cert, default = n )
>>  [label=cert label]             ( label to use when storing in PKCS11 
>> or NSS )
>>  [altname=subjectAltName]       ( add a SAN )
>>  [keyusage=[critical:]usage,..] ( add key usage bits )
>>  [eku=EKU Name, EKU Name, ...]  ( add EKU values )
>>
>>   
>
> Should the eku be in the form like gencert and gencsr commands:
>
> ekuname=[[critical:]EKU Name,[critical:]EKU Name,...]

Yes, good catch. 

Thanks for the notes.

-Wyllys

More information about the kmf-discuss mailing list