[37002] in Kerberos
RE: PKINIT cert chains
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Thu May 21 19:03:56 2015
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Tom Yu <tlyu@mit.edu>
Date: Thu, 21 May 2015 22:06:32 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E7DE655@001FSN2MPN1-046.001f.mgd2.msft.net>
In-Reply-To: <ldvtwv5y706.fsf@sarnath.mit.edu>
Content-Language: en-US
Content-Type: multipart/mixed;
boundary="_002_82E7C9A01FD0764CACDD35D10F5DFB6E7DE655001FSN2MPN1046001_"
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Errors-To: kerberos-bounces@mit.edu
--_002_82E7C9A01FD0764CACDD35D10F5DFB6E7DE655001FSN2MPN1046001_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hi Tom,
Attached, please find a tarball of config and certs and disposable private =
keys on my test system (which has both KDC and client). Also, home/bnordgre=
n/mycert1.pem is the cert off of my smart card.
In the current state, kdc5.conf has two pkinit_anchors lines, one for the K=
DC and one for the smart card. The pkinit_pool lines contain all the interm=
ediate certs.=20
Is there any way to tell the client to not make a CA bundle to send to the =
KDC? If I haven't spoon-fed the KDC what it needs, it should say "no".=20
Bryce
> -----Original Message-----
> From: Tom Yu [mailto:tlyu@mit.edu]
> Sent: Thursday, May 21, 2015 3:07 PM
> To: Nordgren, Bryce L -FS
> Cc: kerberos@mit.edu
> Subject: Re: PKINIT cert chains
>=20
> "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> writes:
>=20
> > 1] Does my KDC cert have to chain back to the same anchor as my smart
> card certificates?
>=20
> I think no, in general, but configuration might be more complicated for y=
our
> deployment if they're different.
>=20
> > 2] Is the error below related to the KDC's cert chain or the smart card=
's cert
> chain?
>=20
> I'm not sure, but see below for some speculation.
>=20
> > Long version:
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > Digging thru my notes, I rediscovered the KRB5_TRACE environment
> variable. As it turns out I didn't have enough "X's" in -XX509_user_ident=
ity.
> Hence I had no configured identity. Unrecognized options really should
> throw an error.
> >
> > Today's question concerns the assumptions about PKI. My KDC is part of
> "my" PKI for my local environment, and clients have my "cacert.pem",
> constructed as instructed on the PKINIT configuration webpage. My smart
> cards are issued by GSA credentialing centers, and I have provided a vali=
d CA
> bundle to the KDC. I am getting:
> >
> > "Cannot create cert chain: unable to get local issuer certificate"
>=20
> This string is coming from cms_signeddata_create() in
> pkinit_crypto_openssl.c, so it's probably the client trying to create a c=
ert
> chain to send to the KDC with its signed data.
>=20
> Have you set the krb5.conf [libdefaults] setting "pkinit_anchors" to poin=
t at
> cacert.pem? Which certs are in cacert.pem? Are there any intermediate C=
As
> in the signature chain for the client certs?
>=20
> -Tom
--_002_82E7C9A01FD0764CACDD35D10F5DFB6E7DE655001FSN2MPN1046001_
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--_002_82E7C9A01FD0764CACDD35D10F5DFB6E7DE655001FSN2MPN1046001_--
