[38199] in Kerberos
Re: Certificate error
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Feb 8 11:40:00 2018
To: J.Witvliet@mindef.nl, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <79c1879c-a9d7-2661-e7c9-2278d6ef3ce9@mit.edu>
Date: Thu, 8 Feb 2018 11:39:37 -0500
MIME-Version: 1.0
In-Reply-To: <20180208135249.DA3C821DF2B@mx4-out.mindef.nl>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 02/08/2018 08:51 AM, J.Witvliet@mindef.nl wrote:> [2676]
1518080701.322720: Sending request (154 bytes) to MOD.NL (master)
> kinit: Can't verify certificate while getting initial credentials
>
> Am I correct, in assuming that at the side of the KDC the problem lies;
> that the KDC is unable to retrieve the (sub-)CA's for validating my certificate?
I think that is a correct assumption.
The error came from the KDC, not from the client (because it immediately
follows a 'Sending request' trace log). The message corresponds to the
protocol error code KDC_ERR_CANT_VERIFY_CERTIFICATE. You didn't say
what implementation is used on the KDC, but RFC 4556 prescribes this
error code for when "the KDC cannot build a certification path to
validate the client's certificate". In the MIT krb5 KDC implementation,
we respond with that error code when OpenSSL's X509_verify_cert() yields
a X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT or
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
