[37001] in Kerberos
Re: PKINIT cert chains
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu May 21 19:03:20 2015
From: Tom Yu <tlyu@mit.edu>
To: "Nordgren\, Bryce L -FS" <bnordgren@fs.fed.us>
Date: Thu, 21 May 2015 19:03:03 -0400
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E7DE655@001FSN2MPN1-046.001f.mgd2.msft.net>
(Bryce L. Nordgren's message of "Thu, 21 May 2015 22:06:32 +0000")
Message-ID: <ldvoaldy1nc.fsf@sarnath.mit.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> writes:
> Attached, please find a tarball of config and certs and disposable private keys on my test system (which has both KDC and client). Also, home/bnordgren/mycert1.pem is the cert off of my smart card.
Thanks. I think you're missing the "OU=Entrust Managed Services Root
CA" root from that set of certs. I couldn't get mycert1.pem to validate
with "openssl verify" even after renaming the PEM files in
etc/pki/kdc/fs_ca to have .crt suffixes and running c_rehash to make
hash symlinks in that directory.
> In the current state, kdc5.conf has two pkinit_anchors lines, one for the KDC and one for the smart card. The pkinit_pool lines contain all the intermediate certs.
Have tried making a concatenated PEM file with the entire cert chain?
> Is there any way to tell the client to not make a CA bundle to send to the KDC? If I haven't spoon-fed the KDC what it needs, it should say "no".
Unfortuantely, although there is a "include_certchain" parameter for
cms_signeddata_create(), all of the callers in the pkinit module
hardcode it to 1 when they call it. I would have to check the RFC to
determine whether it's allowed to omit the intermediate certs.
-Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
