Enabling KDC authentication on request

KDC authentication is an Extended Key Usage (EKU) that indicates a certificate is used by a Kerberos Key Distribution Center (KDC) to prove its identity during PKINIT (certificate-based Kerberos authentication). It allows a server (typically a domain controller) to authenticate itself to Kerberos clients by using a certificate instead of only a password or secret.

Follow the steps below to issue certificates supporting KDC authentication.

• Adding a request extension for KDC authentication
• Selecting a profile that supports KDC authentication

Adding a request extension for KDC authentication

Add the following optionalCertificateRequestDetails.extensions field to the certificate request.

"optionalCertificateRequestDetails": {
    "extensions": [
        {
            "oid": "2.5.29.37",
            "value": "1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5"
        }
    ]
}

Where:

• The oid value is the 2.5.29.37 identifier of the Extended Key Usage (EKU) extension.
• The value value is a list of two identifiers:
  • 1.3.6.1.5.5.7.3.1 for TLS/SSL server authentication.
  • 1.3.6.1.5.2.3.5 for KDC authentication with Kerberos PKINIT.

Selecting a profile that supports KDC authentication

Select a profile that allows the Extended Key Usage (2.5.29.37) extension – for example, the ones listed in the following sections.

• cmp
• est
• scep
• wstep

Alternatively, you can create a profile with this extension, as explained in Customizing subscriber profiles.