error invalid certificate
Kevin Coffman
kwc at umich.edu
Fri May 30 09:53:37 EDT 2008
I see no v3 extensions in either your KDC or user certificates.
You'll need to fix both.
Here is what my (expired) client cert looks like. (Notice the "X509v3
extensions"):
Version: 3 (0x2)
Serial Number: 68454 (0x10b66)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Michigan, L=Ann Arbor, O=University of
Michigan, CN=CITI Production KCA
Validity
Not Before: May 18 21:39:00 2007 GMT
Not After : May 17 21:39:00 2008 GMT
Subject: C=US, ST=Michigan, L=Ann Arbor, O=University of
Michigan, OU=CITI Production KCA, CN=Kevin Coffman
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ee:6d:8b:06:d7:af:2d:80:4c:e2:d7:c5:46:2c:
b1:54:bb:b1:74:23:c0:8b:9d:a9:44:30:ac:a5:92:
04:cb:a9:ab:bf:4f:d2:8b:53:f7:cd:a4:58:78:a7:
91:fb:d0:7e:60:1a:d2:9d:f8:b6:7a:b1:85:b5:36:
ab:c0:43:f9:8c:a6:0a:e1:9f:96:fc:46:5e:39:f0:
2d:5b:98:7e:b2:23:43:85:e4:5f:e2:7e:a9:39:2b:
7a:08:02:bf:03:04:a4:6f:96:f3:8a:4e:96:d1:e8:
93:53:8d:9e:a2:bf:af:0e:e6:db:14:af:6b:cf:d1:
53:f9:ea:e9:bd:3a:4a:5a:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection,
Microsoft Smartcardlogin, 1.3.6.1.5.2.3.4
Netscape Comment:
OpenSSL Generated Certificate
X509v3 CRL Distribution Points:
URI:http://www.citi.umich.edu/projects/pkinit/citi_production_crls.crl
X509v3 Subject Key Identifier:
71:5A:29:55:F8:F9:3A:93:A7:E6:78:92:BD:E6:5B:06:02:B7:58:B4
X509v3 Authority Key Identifier:
keyid:65:CC:2C:0A:2E:D3:58:2F:C7:17:09:73:E4:EF:6A:DF:D3:40:7C:30
DirName:/C=US/ST=Michigan/L=Ann Arbor/O=University of
Michigan/CN=CITI Production KCA
serial:34:EB
X509v3 Subject Alternative Name:
othername:<unsupported>, othername:<unsupported>
X509v3 Issuer Alternative Name:
<EMPTY>
Signature Algorithm: sha1WithRSAEncryption
bb:af:cc:86:87:b6:49:83:9f:e9:87:2e:71:55:d1:4b:4e:d7:
f5:6e:10:0a:51:a7:da:aa:12:f4:1d:05:69:30:0d:4f:ee:20:
74:c9:01:d3:f2:ff:69:37:0a:86:d4:fe:5d:15:10:1f:bb:21:
2c:ad:34:97:87:9d:46:bb:93:59:4c:23:2b:4b:1b:fb:39:a8:
6d:1e:cb:32:2c:47:8e:fc:71:89:90:fc:5d:43:9d:13:0e:11:
39:c6:96:3e:15:07:91:62:12:f8:dd:92:3c:0a:14:5b:5b:06:
5e:9e:87:11:7f:d0:f1:aa:92:71:45:79:4d:9e:d3:b9:ff:7f:
3a:98:90:5b:0d:c3:c5:83:3c:a4:1e:63:54:fa:cc:89:b5:d0:
bd:32:eb:34:30:8d:48:68:fb:71:94:30:2d:7e:b0:59:da:7f:
da:42:4d:cc:a2:ef:55:26:47:14:42:69:70:2e:ae:b0:d3:87:
89:25:2c:28:75:fa:26:3d:8a:83:43:51:27:4c:16:f8:c1:8b:
db:53:2f:2d:8c:8c:3a:09:71:bf:4c:45:f1:9e:84:17:27:76:
f4:ae:63:ec:80:18:58:f9:98:af:2c:e1:51:8a:8e:bc:00:d2:
2b:ef:bd:37:e9:85:51:e6:d2:f5:5c:a5:3c:cd:71:23:92:54:
49:e5:de:66
On Fri, May 30, 2008 at 8:50 AM, naveen.bn <naveen.bn at globaledgesoft.com> wrote:
> Hi Kevin,
>
> I am getting this invlid certificate and in the krb5kdc log file i am
> getting certificate
> signature failure,but why
> And also i am not able to see the contents of the certificates in the
> ethereal capture or the contents of the PA-DAS .why is the request
> going with the PA-DAS and why not PA-PK-AS-REQ.
> This is the message display after doing kinit and the contents of the
> certificates are displayed bellow.
>
> kinit -X X509_user_identity=FILE:/client/naveen.pem,/client/naveen.key
> naveen
> kinit(v5): Invalid certificate while getting initial credentials
>
> This is the contents of my certificates
> /**************** CA certificate ca.pem *************************/
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number:
> c0:cd:bd:5b:35:16:57:06
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=in, O=globaledgesoft, OU=test, CN=ca
> Validity
> Not Before: May 30 10:54:58 2008 GMT
> Not After : May 30 10:54:58 2009 GMT
> Subject: C=in, O=globaledgesoft, OU=test, CN=ca
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:aa:6d:c5:a1:e4:78:a2:8b:c8:c9:64:1e:55:c3:
> 2a:92:34:fc:db:0c:fd:7b:db:61:ff:27:6a:b8:d5:
> a6:2e:9c:10:78:28:b7:55:1c:85:73:e1:c9:ef:c1:
> 2a:4c:6f:68:a6:fa:21:39:84:03:f0:28:9e:52:5a:
> b0:5b:a7:ad:64:23:3d:8b:1c:54:01:0b:72:00:3c:
> 2c:20:21:37:80:c2:ea:6b:18:a9:c0:76:c9:fc:b0:
> 87:5a:18:84:05:23:93:bc:64:7e:43:f2:25:fe:d5:
> 6c:d0:15:08:82:c0:af:16:07:05:57:22:d1:72:7c:
> 0c:8a:9c:8e:58:70:57:b3:ad
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 4b:10:72:03:29:27:08:16:0b:10:39:dc:a4:e8:36:e7:70:6e:
> 28:e4:55:22:d5:e6:b5:28:d4:95:ed:da:00:79:75:a4:2c:74:
> 59:50:4b:15:c7:6f:3c:45:63:31:b5:56:8e:36:d4:eb:9d:fc:
> 02:b4:56:51:bd:cf:f2:e3:fb:b5:c8:67:e5:ed:82:64:99:76:
> f7:5a:9c:e0:bd:9b:92:53:b6:db:e1:a8:45:78:17:b9:ec:8e:
> 80:3f:9d:6d:fe:38:89:04:af:09:68:93:1d:a2:08:69:99:02:
> 40:d7:f4:42:91:16:4a:e0:65:fc:32:27:d4:49:1b:10:a1:72:
> 11:50
> -----BEGIN CERTIFICATE-----
> MIICCTCCAXICCQDAzb1bNRZXBjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJp
> bjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNhYmxl
> MQswCQYDVQQDEwJjYTAeFw0wODA1MzAxMDU0NThaFw0wOTA1MzAxMDU0NThaMEkx
> CzAJBgNVBAYTAmluMRcwFQYDVQQKEw5nbG9iYWxlZGdlc29mdDEUMBIGA1UECxML
> cGFja2V0Y2FibGUxCzAJBgNVBAMTAmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
> iQKBgQCqbcWh5Hiii8jJZB5VwyqSNPzbDP1722H/J2q41aYunBB4KLdVHIVz4cnv
> wSpMb2im+iE5hAPwKJ5SWrBbp61kIz2LHFQBC3IAPCwgITeAwuprGKnAdsn8sIda
> GIQFI5O8ZH5D8iX+1WzQFQiCwK8WBwVXItFyfAyKnI5YcFezrQIDAQABMA0GCSqG
> SIb3DQEBBQUAA4GBAEsQcgMpJwgWCxA53KToNudwbijkVSLV5rUo1JXt2gB5daQs
> dFlQSxXHbzxFYzG1Vo421Oud/AK0VlG9z/Lj+7XIZ+XtgmSZdvdanOC9m5JTttvh
> qEV4F7nsjoA/nW3+OIkErwlokx2iCGmZAkDX9EKRFkrgZfwyJ9RJGxChchFQ
> -----END CERTIFICATE--
> /************************ END of CA ****************************/
>
> /********************** CLIENT cert naveen.pem **************************/
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=in, O=globaledgesoft, OU=text, CN=ca
> Validity
> Not Before: May 30 11:00:19 2008 GMT
> Not After : May 30 11:00:19 2009 GMT
> Subject: C=in, O=globaledgesoft, OU=test, CN=naveen
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (512 bit)
> Modulus (512 bit):
> 00:a9:7b:82:c0:0d:59:b6:8a:3a:3e:66:06:ad:3d:
> c6:ac:25:26:1c:47:dd:38:6f:23:d2:cb:9a:2b:8b:
> 53:da:42:d9:4b:5f:03:31:e7:0d:88:61:f2:c1:4b:
> e6:0e:24:1a:1d:db:a6:53:96:89:a5:ce:f4:ae:e0:
> 2f:e7:77:d9:6b
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 93:16:30:7b:f4:1e:0c:12:0e:2b:7e:de:9f:58:cd:21:51:ad:
> 00:ee:b0:44:13:b9:ad:51:d0:9c:77:48:2b:c4:6e:eb:6f:f2:
> 2e:11:74:68:a3:58:0f:3a:81:b7:75:d3:b2:53:59:c0:4d:51:
> bd:ee:ff:6d:24:11:d5:8b:5a:f9:af:31:1f:4d:02:1e:98:d0:
> 0b:63:7e:98:e4:ef:5a:d2:57:35:04:94:03:b0:f5:f1:3b:88:
> 4e:4a:b3:bc:a8:3f:26:41:25:65:db:4e:2f:66:d3:8c:a3:a7:
> 92:91:22:ad:7c:e4:3e:83:f4:f3:30:b0:0c:17:74:81:55:35:
> 70:4a
> -----BEGIN CERTIFICATE-----
> MIIBwTCCASoCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCaW4xFzAVBgNV
> BAoTDmdsb2JhbGVkZ2Vzb2Z0MRQwEgYDVQQLEwtwYWNrZXRjYWJsZTELMAkGA1UE
> AxMCY2EwHhcNMDgwNTMwMTEwMDE5WhcNMDkwNTMwMTEwMDE5WjBNMQswCQYDVQQG
> EwJpbjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNh
> YmxlMQ8wDQYDVQQDEwZuYXZlZW4wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAqXuC
> wA1Ztoo6PmYGrT3GrCUmHEfdOG8j0suaK4tT2kLZS18DMecNiGHywUvmDiQaHdum
> U5aJpc70ruAv53fZawIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJMWMHv0HgwSDit+
> 3p9YzSFRrQDusEQTua1R0Jx3SCvEbutv8i4RdGijWA86gbd107JTWcBNUb3u/20k
> EdWLWvmvMR9NAh6Y0Atjfpjk71rSVzUElAOw9fE7iE5Ks7yoPyZBJWXbTi9m04yj
> p5KRIq185D6D9PMwsAwXdIFVNXBK
> -----END CERTIFICATE-----
> /******************* end of client certificate **************/
>
> /****************** start of kdc.pem ********************/
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 2 (0x2)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=in, O=globaledgesoft, OU=test, CN=ca
> Validity
> Not Before: May 30 11:03:05 2008 GMT
> Not After : May 30 11:03:05 2009 GMT
> Subject: C=in, O=globaledgesoft, OU=test, CN=kdc
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (512 bit)
> Modulus (512 bit):
> 00:d2:c4:be:81:c5:a5:15:30:10:1a:00:9c:24:a8:
> 11:9e:63:dd:c5:c6:f1:06:4c:d9:66:eb:81:6a:ba:
> 85:5a:55:c8:74:6d:2a:75:ff:ba:44:02:19:d3:2e:
> a7:15:59:8f:62:94:9e:19:d5:0c:05:ce:f7:70:ce:
> 4b:ab:2b:a2:51
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 5f:e3:33:e0:55:c6:42:66:93:2c:6a:1a:df:12:cc:9e:85:75:
> 4e:d0:1a:7f:45:a3:2a:67:8b:af:39:6c:a5:a3:52:83:9f:95:
> d3:f7:6f:fd:e0:b8:70:51:49:3f:77:2f:cd:fa:d3:e5:74:1f:
> a6:c8:c3:79:7c:d8:3e:17:2e:19:2c:77:fd:c3:d1:3c:d1:25:
> eb:d9:6c:3a:64:16:66:1d:61:63:48:1f:d1:82:89:73:c5:3e:
> 5c:be:5f:99:0d:b3:41:29:1e:a5:51:ca:16:11:6d:3e:2a:4b:
> 60:48:fb:42:44:4b:10:96:d8:6a:30:4d:8a:32:4b:0f:47:19:
> ea:6e
> -----BEGIN CERTIFICATE-----
> MIIBvjCCAScCAQIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCaW4xFzAVBgNV
> BAoTDmdsb2JhbGVkZ2Vzb2Z0MRQwEgYDVQQLEwtwYWNrZXRjYWJsZTELMAkGA1UE
> AxMCY2EwHhcNMDgwNTMwMTEwMzA1WhcNMDkwNTMwMTEwMzA1WjBKMQswCQYDVQQG
> EwJpbjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNh
> YmxlMQwwCgYDVQQDEwNrZGMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA0sS+gcWl
> FTAQGgCcJKgRnmPdxcbxBkzZZuuBarqFWlXIdG0qdf+6RAIZ0y6nFVmPYpSeGdUM
> Bc73cM5LqyuiUQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAF/jM+BVxkJmkyxqGt8S
> zJ6FdU7QGn9Foypni685bKWjUoOfldP3b/3guHBRST93L8360+V0H6bIw3l82D4X
> Lhksd/3D0TzRJevZbDpkFmYdYWNIH9GCiXPFPly+X5kNs0EpHqVRyhYRbT4qS2BI
> +0JESxCW2GowTYoySw9HGepu
> -----END CERTIFICATE-----
>
> Kindly Guide me to get the AS_REP with KDC certificates.
>
>
> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
> for the use of the addressee(s). If you are not the intended recipient,
> please notify the sender by e-mail and delete the original message.Global
> Edge Software Ltd has taken every reasonable precaution to minimize this
> risk, but is not liable for any damage you may sustain as a result of any
> virus in this e-mail. You should carry out your own virus checks before
> opening the e-mail or attachment. Global Edge Software Ltd reserves the
> right to monitor and review the content of all messages sent to or from this
> e-mail address
>
>
More information about the Kerberos
mailing list