[36997] in Kerberos
PKINIT cert chains
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Thu May 21 13:36:04 2015
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 21 May 2015 17:35:23 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E7DE551@001FSN2MPN1-046.001f.mgd2.msft.net>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Short version
===========
Questions:
1] Does my KDC cert have to chain back to the same anchor as my smart card certificates?
2] Is the error below related to the KDC's cert chain or the smart card's cert chain?
Long version:
==========
Digging thru my notes, I rediscovered the KRB5_TRACE environment variable. As it turns out I didn't have enough "X's" in -XX509_user_identity. Hence I had no configured identity. Unrecognized options really should throw an error.
Today's question concerns the assumptions about PKI. My KDC is part of "my" PKI for my local environment, and clients have my "cacert.pem", constructed as instructed on the PKINIT configuration webpage. My smart cards are issued by GSA credentialing centers, and I have provided a valid CA bundle to the KDC. I am getting:
"Cannot create cert chain: unable to get local issuer certificate"
Again, there is a single AS_REQ/KRB_ERROR pair to request preauthentication, with no attempts to contact the KDC after I provide my PIN.
Questions:
1] Does my KDC cert have to chain back to the same anchor as my smart card certificates?
2] Is the error above related to the KDC's cert chain or the smart card's cert chain?
Thanks,
Bryce
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
