Hi,
In our case we use the api's to control the client action.
Setup :-
we maintain the conf files according to the realm names.
1. In normal scenario we call krb5_get_init_creds_opt_alloc and krb5_get_init_creds_opt_set_forwardable to set the kerberos flags
2. Similarly called
krb5_get_init_creds_opt_set_pa(k5->ctx, options, "X509_anchors", "FILE:/home/product/code/config/certificates/cacert.pem" );
krb5_get_init_creds_opt_set_pa(k5->ctx, options, "X509_user_identity", "FILE:/home/product/code/config/certificates/client.pem,/home/product/code/config/certificates/clientkey.pem");
krb5_get_init_creds_opt_set_pa(k5->ctx, options, "flag_RSA_PROTOCOL", "yes");
The above data was stored in the conf file.
My question is what ever i am doing is the correct procedure? Please do guide me in this.
Best Regards,
B.Sasikumar.
> I am planning to implement PKINIT in my kerberos client application. Read the tutorial for PKINIT options in MIT site and need to know what API's can be used to achieve PKINIT in client application.
Normally, a client application doesn't need to use any APIs to make
PKINIT work; all you have to do is configure the client and KDC
appropriately using krb5.conf.
If you have a specific need to control PKINIT behavior from the
application, you can create a krb5_get_init_creds_opt object with
krb5_get_init_creds_opt_alloc and set PKINIT-specific attributes with
krb5_get_init_creds_opt_set_pa. The attributes you can set this way are