rekeying krbtgt

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

rekeying krbtgt

Radoslav Bodó

we are trying to rekey old principals and get rid of the old `des-*`
enctypes, possibly without any service downtime. So far we've been able
to come up with rekeying procedure for service principals using
ktutils+kadmin (

Now I'm little bit wondering how to rollover the krbtgt principal, I've
found `cpw --keepold` functionality which nicely adds a new keys
(kvno+1) for existing principal with requested keytypes ([kadmin]
default_keys), but i cannot find a way how to selectively delete the old
key by kvno...

any advice would be very apprecitated

Best regards
Radoslav Bodo

signature.asc (849 bytes) Download Attachment