1 files changed, 61 insertions, 0 deletions

diff --git a/confskel/openssl/pki_extensions b/confskel/openssl/pki_extensions
new file mode 100644
index 0000000..d841890
--- /dev/null
+++ b/confskel/openssl/pki_extensions
@@ -0,0 +1,61 @@
+[ kdc_cert ]
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+
+#Pkinit EKU
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# Copy subject details
+
+issuerAltName=issuer:copy
+
+# Add id-pkinit-san (pkinit subjectAlternativeName)
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
+principal_name = EXP:1, SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0, INTEGER:1
+name_string = EXP:1, SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:@@@REALM_UCNAME@@@
+
+[ client_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+basicConstraints=CA:FALSE
+
+keyUsage = digitalSignature, keyEncipherment, keyAgreement
+
+extendedKeyUsage =  1.3.6.1.5.2.3.4
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
+
+
+# Copy subject details
+
+issuerAltName=issuer:copy
+
+[princ_name]
+realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
+principal_name = EXP:1, SEQUENCE:principal_seq
+
+[principal_seq]
+name_type = EXP:0, INTEGER:1
+name_string = EXP:1, SEQUENCE:principals
+
+[principals]
+princ1 = GeneralString:@@@KDCSERVER@@@