projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Projects : Kerberos Leveraged PKI

Kerberos Leveraged PKI (K-PKI) leverages an existing Kerberos infrastructure to provide a lightweight Public Key Infrastructure (PKI).

NMI Logo kx509 and kca are part of the National Science Foundation Middleware Initiative (NMI) EDIT software release.

Get the CITI Production KCA Certificate here! (NEW! as of October 13, 2006)


There are five major components to K-PKI:

kx509 and KCA

kx509 is a standalone client program that acquires a short-term X.509 certificate (junk key) from the KCA for a Kerberos-authenticated user. It stores the certificate in the local user's Kerberos ticket file. The certificate can later be used by COTS web browsers and other PKI-aware applications via the kpkcs11 library (see below).

KCA is the Kerberized server that generates the certificates. It runs on a secure server.

The latest kx509/KCA source is now available on SourceForge with CVS instructions here.


kpkcs11 is a shared library that exports the PKCS#11 interface. It uses the certificates stored in the user's Kerberos ticket file by the kx509 client program. It typically is loaded by a COTS web browser, but can be used by any PKCS#11 client.

The latest kpkcs11 source is now available on SourceForge with CVS instructions here.

KCT and mod_KCT

mod_KCT is an Apache web server module that acquires a Kerberos service ticket from the KCT on behalf of an SSL authenticated user. The web server can then act as a Kerberos client on the user's behalf.

KCT runs on the same machine that runs the KDC. It accepts user certificates via SSL from mod_KCT and returns a Kerberos service ticket. It uses the OpenSSL toolkit. (This code assumes OpenSSL version 0.9.7 or later.)


Readme file (Last update - December 10, 2001)
kx509.tar.gz (Last update - November 11, 2003)
kpkcs11.tar.gz (Last update - November 13, 2003)
mod_kct.gz (Last update - October 24, 2005)
kct.tar.gz (Last update - October 24, 2005)

Change Log

October 24, 2005 (mod_kct/kct updates)

mod_kct changes:

  • Now configurable via httpd.conf file so that user authentication may be required for the entire server, or on a directory-by-directory basis.
  • Updated to "version 2" such that multiple service tickets can be requested in a single request and a desired lifetime can be specified for each ticket.

kct changes:

  • Miscellaneous bug fixes.
  • Handle service names with instances correctly
  • Updated to "version 2" such that multiple service tickets can be requested in a single request and a desired lifetime can be specified for each ticket.
  • Added renewal service. (More to come on this.)
  • Updated configuration processing so configuration options are processed (in increasing order of precedence): - static defaults - default config file (/var/kct/kct.conf) - config file specified on command line (-f) - individual options specified on command line

November 11, 2003 (kx509/kca updates)

  • Fixes from Ken MacInnis for 64-bit clients and to properly set the file permissions on the output file in kxlist.
  • Change KCA serial number handling code to use OpenSSL BigNum routines. This creates a much bigger serial number space. This change requires an OpenSSL build tree to build the kca. It also requires that the serial number file has an even number of characters.
  • Use autoconf 2.57.
  • Windows build has new option for using Microsoft SSPI (--withmsk5)
  • Updates for kx509 library. Added new options to kxlist to place certificate and key in separate files, or both in the same file.
  • Fix problem with the entropy code and 3DES session keys.
  • Add environment variable, KCA_HOST_LIST, to specify the kca host name(s). If set, use the env var for list of kca hosts instead of doing DNS SRV record lookup.
  • Change default kca log messages to have formatted date, and other log message changes.

August 7, 2002 (kx509/kca updates)

  • Changes to allow configuration and build of the client on MacOS X Darwin.

March 28, 2002 (kx509/kca updates)

  • Rework configure script to make Kerberos 5 the default authentication mechanism. Make use of Kerberos 4 optional.
  • Add README and INSTALL files.
  • Add install target
  • Use ANSI prototypes and declarations.
  • Add support for a kx509 library. Allowing it to be invoked from within another program rather than as a main program.
  • Add support for sn_increment configuration option.
  • Use the client's authentication domain as the email address domain by default.
  • Remove Version 1 protocol code.

March 11, 2002 (kpkcs11 updates)

  • Simplify (hopefully) configure step for non-UMICH builds.
  • Add README and INSTALL files.
  • Add install target
  • Change logging routines so that debug output is only written if the log file already exists. This allows some debugging to be done by touching the file before loading the kpkcs11 module.
  • Add code to ignore requests from Netscape 6 for objects with vendor-defined properties. (Allows kpkcs11 to be used with Netscape 6.)

February 11, 2002

  • Incorporate patches to kpkcs11 received from Simon Wilkinson to make the pkcs11 token a truely "removable" device. This allows the user to update their certificate without requiring a browser restart to notice. This makes the handling of expired certificates much easier to deal with.
  • Remove all Kerberos dependencies for the Windows version of kpkcs11 since the key and certificate are not stored in the credentials cache on Windows.
  • Update kpkcs11 messages to print the Kerberos error string, rather than the error number, in the case of an error when using Kerberos 5.

December 10, 2001

  • Add KCT and mod_KCT to the distribution. There are two versions of mod_KCT, and some patches to OpenSSL 0.9.6b.
  • Minor fix in kx509 configuration script.
  • Changes to the logging within the KCA to include the date in the logfile name and code to reopen the log via a SIGHUP.

August 27, 2001

  • Use of SRV records to locate the kca server rather than assuming they are on kerberos servers
  • Windows client will now make use of a broader selection of Kerberos distributions
  • Improved integration with Windows 2000
  • Cleaner configuration
  • Eliminate use of RSAref
  • More generalized server support

CITI Technical Reports

  • 01-2 pdf ps
    William Doster, Marcus Watts, and Dan Hyde "The KX.509 Protocol," February 2001.
  • 01-5 pdf ps
    Olga Kornievskaia, Peter Honeyman, Bill Doster, and Kevin Coffman, "Kerberized Credential Translation: A Solution to Web Access Control," February 2001. [USENIX Security Symposium, Washington, D.C. (August 2001)] projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan