Hi Tom, Attached, please find a tarball of config and certs and disposable private keys on my test system (which has both KDC and client). Also, home/bnordgren/mycert1.pem is the cert off of my smart card.
In the current state, kdc5.conf has two pkinit_anchors lines, one for the KDC and one for the smart card. The pkinit_pool lines contain all the intermediate certs. Is there any way to tell the client to not make a CA bundle to send to the KDC? If I haven't spoon-fed the KDC what it needs, it should say "no". Bryce > -----Original Message----- > From: Tom Yu [mailto:t...@mit.edu] > Sent: Thursday, May 21, 2015 3:07 PM > To: Nordgren, Bryce L -FS > Cc: kerberos@mit.edu > Subject: Re: PKINIT cert chains > > "Nordgren, Bryce L -FS" <bnordg...@fs.fed.us> writes: > > > 1] Does my KDC cert have to chain back to the same anchor as my smart > card certificates? > > I think no, in general, but configuration might be more complicated for your > deployment if they're different. > > > 2] Is the error below related to the KDC's cert chain or the smart card's > > cert > chain? > > I'm not sure, but see below for some speculation. > > > Long version: > > ========== > > > > Digging thru my notes, I rediscovered the KRB5_TRACE environment > variable. As it turns out I didn't have enough "X's" in -XX509_user_identity. > Hence I had no configured identity. Unrecognized options really should > throw an error. > > > > Today's question concerns the assumptions about PKI. My KDC is part of > "my" PKI for my local environment, and clients have my "cacert.pem", > constructed as instructed on the PKINIT configuration webpage. My smart > cards are issued by GSA credentialing centers, and I have provided a valid CA > bundle to the KDC. I am getting: > > > > "Cannot create cert chain: unable to get local issuer certificate" > > This string is coming from cms_signeddata_create() in > pkinit_crypto_openssl.c, so it's probably the client trying to create a cert > chain to send to the KDC with its signed data. > > Have you set the krb5.conf [libdefaults] setting "pkinit_anchors" to point at > cacert.pem? Which certs are in cacert.pem? Are there any intermediate CAs > in the signature chain for the client certs? > > -Tom
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
