On 02/08/2018 08:51 AM, j.witvl...@mindef.nl wrote:> [2676] 1518080701.322720: Sending request (154 bytes) to MOD.NL (master) > kinit: Can't verify certificate while getting initial credentials > > Am I correct, in assuming that at the side of the KDC the problem lies; > that the KDC is unable to retrieve the (sub-)CA's for validating my > certificate?
I think that is a correct assumption. The error came from the KDC, not from the client (because it immediately follows a 'Sending request' trace log). The message corresponds to the protocol error code KDC_ERR_CANT_VERIFY_CERTIFICATE. You didn't say what implementation is used on the KDC, but RFC 4556 prescribes this error code for when "the KDC cannot build a certification path to validate the client's certificate". In the MIT krb5 KDC implementation, we respond with that error code when OpenSSL's X509_verify_cert() yields a X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT or X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
