# KRB5: pkinit

## KDC

```bash
openssl genrsa -out cakey.pem 2048
openssl req -key cakey.pem -new -x509 -out cacert.pem
```

`vim extensions.kdc`

```kdc
[kdc_cert]
    basicConstraints=CA:FALSE
    keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
    extendedKeyUsage=1.3.6.1.5.2.3.5
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    issuerAltName=issuer:copy
    subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name

[kdc_princ_name]
    realm=EXP:0,GeneralString:${ENV::REALM}
    principal_name=EXP:1,SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
    name_type=EXP:0,INTEGER:2
    name_string=EXP:1,SEQUENCE:kdc_principals

[kdc_principals]
    princ1=GeneralString:krbtgt
    princ2=GeneralString:${ENV::REALM}
```

```bash
openssl genrsa -out kdckey.pem 2048
openssl req -new -out kdc.req -key kdckey.pem
export REALM=DOMAIN.ALT
openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
cp kdc.pem /var/lib/kerberos/krb5kdc/
cp kdckey.pem /var/lib/kerberos/krb5kdc/
cp cacert.pem /var/lib/kerberos/krb5kdc/
```

`vim /var/lib/kerberos/krb5kdc/kdc.conf`

```kdc
[kdcdefaults]
    ...
    pkinit_identity = FILE:/var/lib/kerberos/krb5kdc/kdc.pem,/var/lib/kerberos/krb5kdc/kdckey.pem
    pkinit_anchors = FILE:/var/lib/kerberos/krb5kdc/cacert.pem

[realms]
    DOMAIN.ALT = {
    ...
    default_principal_flags = +preauth
}
```

```bash
kadmin.local -q 'addprinc test'
kadmin.local -q 'modprinc +requires_preauth test'
kadmin.local -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
```

`vim extensions.client`

```kdc
[client_cert]
    basicConstraints=CA:FALSE
    keyUsage=digitalSignature,keyEncipherment,keyAgreement
    extendedKeyUsage=1.3.6.1.5.2.3.4
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    issuerAltName=issuer:copy
    subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name

[princ_name]
    realm=EXP:0,GeneralString:${ENV::REALM}
    principal_name=EXP:1,SEQUENCE:principal_seq

[principal_seq]
    name_type=EXP:0,INTEGER:1
    name_string=EXP:1,SEQUENCE:principals

[principals]
    princ1=GeneralString:${ENV::CLIENT}
```

```bash
openssl genrsa -out clientkey.pem 2048
openssl req -new -key clientkey.pem -out client.req
export REALM=DOMAIN.ALT
export CLIENT=test
openssl x509 -CAkey cakey.pem -CA cacert.pem -req -in client.req -extensions client_cert -extfile extensions.client -days 365 -out client.pem
scp cacert.pem test@10.64.172.150:
scp client.pem test@10.64.172.150:
scp clientkey.pem test@10.64.172.150:
systemctl restart krb5kdc.service
```

## KCLW

```bash
cp /home/test/*.pem /var/lib/kerberos/krb5/
```

`vim /etc/krb5.conf`

```kdc
[libdefaults]
    ...
    pkinit_anchors = FILE:/var/lib/kerberos/krb5/cacert.pem
    #pkinit_identities = FILE:/var/lib/kerberos/krb5/client.pem,/var/lib/kerberos/krb5/clientkey.pem
```