[37004] in Kerberos
Re: PKINIT cert chains
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri May 22 13:43:10 2015
From: Tom Yu <tlyu@mit.edu>
To: "Nordgren\, Bryce L -FS" <bnordgren@fs.fed.us>
Date: Fri, 22 May 2015 13:42:49 -0400
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E7DE699@001FSN2MPN1-046.001f.mgd2.msft.net>
(Bryce L. Nordgren's message of "Thu, 21 May 2015 23:57:27 +0000")
Message-ID: <ldvd21sy0di.fsf@sarnath.mit.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> writes:
> You've prompted me to draw a picture. The collection of "intermediate" certificates is no such thing. I appear to have been given a bag of unrelated fragments of CA chains. Many apologies for lack of due diligence. PKI tools are still pretty awkward for me to use.
No problem. I think PKI tools are awkward for pretty much everyone to
use.
> However, I do have the cert for the CA which signed my card (LincPass.cer), even though it's not a self-signed root CA. I specified it directly in my pkinit_anchors, but this did not resolve the issue. Does openssl (and thus MIT Kerberos) require all the certs up to a self signed root certificate, even when I want to anchor somewhat lower than that? Does this mean the anchor is really all the way at the root cert, or is it where I want it to be?
My experience is that OpenSSL wants to chain to a self-signed root cert.
I've tended to hear the term "trust anchor" used in X.509 contexts to
mean only a trusted self-signed root certificate.
> Pam_pkcs11 is authenticating with these certs for sudo, possibly because it's using Mozilla nssdb instead of openssl? Thus was I lulled into complacency.
It might be that nssdb has the relevant root cert configured in its
trust store. I believe the OpenSSL API as we use it in our PKINIT
implementation requires that the trusted roots be specified explicitly
through the API.
-Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
