[36717] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: PKINIT AS-REP "Invalid Signature" (was : PKINIT and -nokey)

daemon@ATHENA.MIT.EDU (Siddharth Mathur)
Tue Jan 13 01:35:53 2015

MIME-Version: 1.0
Date: Tue, 13 Jan 2015 12:05:39 +0530
Message-ID: <CABMjiNsGoThtyg0dO+XG_Y63NKh5OGV1pcTM1O7oAbMN7jizdg@mail.gmail.com>
From: Siddharth Mathur <smathur@blackbuck.mobi>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

> CMS Verification failure
>
> failed to verify pkcs7 signed data
>
> pkinit_as_rep_parse returning -1765328320 (Invalid signature)
>
> pkinit_as_rep_parse returned -1765328320 (Invalid signature)
>
> pkinit_client_process: returning -1765328320 (Invalid signature)
>

To close this thread, this invalid signature error on the client-side
was due to mismatched X.509 certificates being fed to the KDC
configuration file in "pkinit_identity". Ensuring that they were the
right private key/public key pair fixed the problem.

Of course, the KDC logs didn't mention any errors during or after
startup about this configuration error, but that's another issue ;) .

Cheers,
Siddharth
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36717] in Kerberos

Re: PKINIT AS-REP "Invalid Signature" (was : PKINIT and -nokey)

daemon@ATHENA.MIT.EDU (Siddharth Mathur)Tue Jan 13 01:35:53 2015

daemon@ATHENA.MIT.EDU (Siddharth Mathur)
Tue Jan 13 01:35:53 2015