"Nordgren, Bryce L -FS" <bnordg...@fs.fed.us> writes: > You've prompted me to draw a picture. The collection of "intermediate" > certificates is no such thing. I appear to have been given a bag of unrelated > fragments of CA chains. Many apologies for lack of due diligence. PKI tools > are still pretty awkward for me to use.
No problem. I think PKI tools are awkward for pretty much everyone to use. > However, I do have the cert for the CA which signed my card (LincPass.cer), > even though it's not a self-signed root CA. I specified it directly in my > pkinit_anchors, but this did not resolve the issue. Does openssl (and thus > MIT Kerberos) require all the certs up to a self signed root certificate, > even when I want to anchor somewhat lower than that? Does this mean the > anchor is really all the way at the root cert, or is it where I want it to be? My experience is that OpenSSL wants to chain to a self-signed root cert. I've tended to hear the term "trust anchor" used in X.509 contexts to mean only a trusted self-signed root certificate. > Pam_pkcs11 is authenticating with these certs for sudo, possibly because it's > using Mozilla nssdb instead of openssl? Thus was I lulled into complacency. It might be that nssdb has the relevant root cert configured in its trust store. I believe the OpenSSL API as we use it in our PKINIT implementation requires that the trusted roots be specified explicitly through the API. -Tom ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
