Invalid signature while getting initial credentials

vinay kumar winay.l at gmail.com
Tue Feb 23 06:28:33 EST 2010


Hi all,

I have enabled PKINIT, but when i try to do kinit -X
X509_user_identity=FILE:/client/client.crt,/client/client.key vinay
i am getting following error:

kinit(v5): Invalid signature while getting initial credentials

client.crt and kdc.crt both are signed by ca.key. The method i have
adopted to generate certificate is as follows:
/************  CA certificates ***********/
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

at the end of this i have ca.crt and ca.key which is self signed

/************* END of CA crt **************/

/************* Client certificate *********/

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey -extfile
extension.c ca.key -extensions
client_cert -out client.crt

at the end of this i have client.crt and client.key which is signed by the
ca.key

/************* END of client crt ***********/

/************* KDC certificate *************/

openssl genrsa -out kdc.key 2048
openssl req -new -key kdc.key -out kdc.csr
openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extfile
extension.c -extensions kdc_cert
-out kdc.crt

/************* END of KDC crt **************/

extension file contains the details for including extensions which is
contains the data from following link:
 http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html

***************************client.crt**************************************************
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d4:f0:fe:50:5f:4a:13:ba
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: OU=gesl, CN=vinay
        Validity
            Not Before: Feb 23 08:50:32 2010 GMT
            Not After : Feb 23 08:50:32 2011 GMT
        Subject: OU=gesl, CN=vinay
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3:
                    c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9:
                    ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a:
                    c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8:
                    6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e:
                    95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb:
                    d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9:
                    77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50:
                    57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73:
                    1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2:
                    fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e:
                    c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93:
                    5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e:
                    8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73:
                    ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6:
                    bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d:
                    0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d:
                    8b:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                1.3.6.1.5.2.3.4
            X509v3 Subject Key Identifier:
                30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83
            X509v3 Authority Key Identifier:

keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83

            X509v3 Subject Alternative Name:
                othername:<unsupported>
            X509v3 Issuer Alternative Name:
                othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
        31:85:60:ff:18:7c:5f:9f:b7:73:92:f9:89:4b:03:24:26:b9:
        8e:e0:11:5a:2d:a5:fb:06:e3:de:c1:9b:a5:75:4c:0b:f3:2f:
        b5:f5:97:13:d0:42:ee:af:b1:e3:30:32:5b:95:8d:ed:3f:2a:
        f6:0a:50:24:13:b2:4a:59:14:85:f9:92:22:5d:c3:f4:07:31:
        1b:73:9f:76:c7:de:30:53:46:61:d4:11:6d:f3:18:40:09:c0:
        04:d3:81:38:2b:46:4d:13:38:44:e9:57:d1:e7:dc:04:49:bf:
        09:b4:cb:98:84:c2:57:bd:83:f9:b9:f5:17:95:9c:63:c8:30:
        e5:88:1b:19:7d:bd:02:21:f8:a0:9d:91:d9:f5:6b:a2:fb:72:
        4a:ad:a4:a3:4c:f7:e2:74:7a:27:3f:b0:9c:61:d1:51:73:eb:
        d6:c0:7c:07:47:10:59:bf:a9:23:90:a0:f4:61:e5:59:3d:28:
        df:67:6d:ad:54:8d:31:fe:03:af:4f:ba:b8:cd:1a:4d:16:33:
        47:b8:cf:31:47:05:c8:8a:df:64:c0:b6:7b:f6:1b:e5:87:dc:
        eb:19:fb:61:4d:ca:cf:70:18:b5:bf:fd:11:a3:b3:ab:1e:a2:
        32:f2:b1:97:fc:87:45:05:83:cf:da:25:ee:8b:0b:5d:9e:b3:
        d5:d1:0c:a4
********************************************************************************************
My kdc.crt is as follows:
****************************kdc.crt********************************************************
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d5:61:4d:c6:f6:3e:e9:11
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: OU=gesl, CN=vinay
        Validity
            Not Before: Feb 23 08:52:16 2010 GMT
            Not After : Feb 23 08:52:16 2011 GMT
        Subject: OU=gesl, CN=vinay
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3:
                    c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9:
                    ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a:
                    c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8:
                    6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e:
                    95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb:
                    d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9:
                    77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50:
                    57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73:
                    1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2:
                    fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e:
                    c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93:
                    5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e:
                    8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73:
                    ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6:
                    bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d:
                    0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d:
                    8b:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment,
Key Agreement
            X509v3 Extended Key Usage:
                1.3.6.1.5.2.3.5
            X509v3 Subject Key Identifier:
                30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83
            X509v3 Authority Key Identifier:

keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83

            X509v3 Issuer Alternative Name:
                <EMPTY>

            X509v3 Subject Alternative Name:
                othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
        76:f4:f8:3d:9d:cc:9b:52:4c:27:a2:77:bb:c1:09:2c:8d:1f:
        d0:c6:08:4f:5f:e6:30:50:c0:f8:83:94:b4:91:4e:2d:35:aa:
        11:d2:8e:4e:70:27:7b:cb:00:89:66:40:17:cf:2b:f0:d3:19:
        1b:dc:7c:9e:0b:78:b2:b3:df:ef:bd:da:a3:10:49:fc:9c:f7:
        b9:39:06:75:6d:a9:3f:82:67:93:01:9f:ac:ba:bd:aa:0a:85:
        a6:97:8c:a9:00:74:80:d1:80:2b:1c:30:d3:2d:fe:ca:27:98:
        7d:41:1e:fe:1b:d9:30:ab:c4:1e:84:01:60:d4:12:1b:f1:15:
        3b:8a:a3:a7:f3:15:c7:54:e4:7b:2a:8b:a7:45:7b:4b:5b:a2:
        30:c6:bf:6c:fb:39:c2:09:cb:33:1d:5d:19:91:f5:26:5f:09:
        85:12:60:b6:fb:dc:de:71:7a:9d:5e:32:8f:30:f1:73:10:39:
        f9:e7:24:4b:e4:43:6e:43:84:69:17:6f:95:54:53:f1:a7:83:
        b0:e1:a7:7b:5b:07:e5:ec:c4:ae:9c:39:e3:c4:8c:b2:e9:a6:
        7d:20:92:3a:d6:6c:64:91:d5:23:f7:5a:a6:96:81:64:b9:30:
        f7:8c:1a:90:03:6d:6b:63:5a:d6:24:1b:e7:2e:75:7b:44:17:
        58:a3:0e:64
*********************************************************************************************
what is the reason for getting this error? Is the method followed to
generate the certificates is right? Plz kindly guide me.

Regards,
Vinay



More information about the Kerberos mailing list