We've started exercising the new feature in RHCS 7.2 which lets you specify a Kerberos principal name as a value for an issued certificate's subjectAlternativeName, as specified in the PKINIT RFC. (Prior to that, I'd been doing testing using principal names encoded the way Windows expects them, so I was looking forward to it.) So I handed the certificate to my parsing code, and (you guessed it) it didn't work. Grrr. Turns out I'd been using a different (and as it turns out, incorrect) decoding template than the one I was using to encode values as a sample. Luckily, fixing that was quick work.

Made some headway on semi-automating the process of generating certificates with the right values in them using OpenSSL. Need to make sure the keys and certificates can be bundled up into PKCS#12 bags, which p12util will like, before I can go much further down that road.