Invalid signature while getting initial credentials
Douglas E. Engert
deengert at anl.gov
Tue Feb 23 10:26:49 EST 2010
vinay kumar wrote:
> Hi all,
>
> I have enabled PKINIT, but when i try to do kinit -X
> X509_user_identity=FILE:/client/client.crt,/client/client.key vinay
> i am getting following error:
>
> kinit(v5): Invalid signature while getting initial credentials
>
> client.crt and kdc.crt both are signed by ca.key. The method i have
> adopted to generate certificate is as follows:
> /************ CA certificates ***********/
> openssl genrsa -out ca.key 2048
> openssl req -new -key ca.key -out ca.csr
> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
>
> at the end of this i have ca.crt and ca.key which is self signed
>
> /************* END of CA crt **************/
>
> /************* Client certificate *********/
>
> openssl genrsa -out client.key 2048
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -in client.csr -signkey -extfile
> extension.c ca.key -extensions
> client_cert -out client.crt
>
> at the end of this i have client.crt and client.key which is signed by the
> ca.key
>
> /************* END of client crt ***********/
>
> /************* KDC certificate *************/
>
> openssl genrsa -out kdc.key 2048
> openssl req -new -key kdc.key -out kdc.csr
> openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extfile
> extension.c -extensions kdc_cert
> -out kdc.crt
>
> /************* END of KDC crt **************/
>
> extension file contains the details for including extensions which is
> contains the data from following link:
> http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html
>
> ***************************client.crt**************************************************
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> d4:f0:fe:50:5f:4a:13:ba
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: OU=gesl, CN=vinay
> Validity
> Not Before: Feb 23 08:50:32 2010 GMT
> Not After : Feb 23 08:50:32 2011 GMT
> Subject: OU=gesl, CN=vinay
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3:
> c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9:
> ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a:
> c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8:
> 6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e:
> 95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb:
> d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9:
> 77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50:
> 57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73:
> 1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2:
> fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e:
> c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93:
> 5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e:
> 8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73:
> ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6:
> bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d:
> 0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d:
> 8b:7f
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Key Usage:
> Digital Signature, Key Encipherment, Key Agreement
> X509v3 Extended Key Usage:
> 1.3.6.1.5.2.3.4
> X509v3 Subject Key Identifier:
> 30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83
> X509v3 Authority Key Identifier:
>
> keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83
>
> X509v3 Subject Alternative Name:
> othername:<unsupported>
> X509v3 Issuer Alternative Name:
> othername:<unsupported>
> Signature Algorithm: sha1WithRSAEncryption
> 31:85:60:ff:18:7c:5f:9f:b7:73:92:f9:89:4b:03:24:26:b9:
> 8e:e0:11:5a:2d:a5:fb:06:e3:de:c1:9b:a5:75:4c:0b:f3:2f:
> b5:f5:97:13:d0:42:ee:af:b1:e3:30:32:5b:95:8d:ed:3f:2a:
> f6:0a:50:24:13:b2:4a:59:14:85:f9:92:22:5d:c3:f4:07:31:
> 1b:73:9f:76:c7:de:30:53:46:61:d4:11:6d:f3:18:40:09:c0:
> 04:d3:81:38:2b:46:4d:13:38:44:e9:57:d1:e7:dc:04:49:bf:
> 09:b4:cb:98:84:c2:57:bd:83:f9:b9:f5:17:95:9c:63:c8:30:
> e5:88:1b:19:7d:bd:02:21:f8:a0:9d:91:d9:f5:6b:a2:fb:72:
> 4a:ad:a4:a3:4c:f7:e2:74:7a:27:3f:b0:9c:61:d1:51:73:eb:
> d6:c0:7c:07:47:10:59:bf:a9:23:90:a0:f4:61:e5:59:3d:28:
> df:67:6d:ad:54:8d:31:fe:03:af:4f:ba:b8:cd:1a:4d:16:33:
> 47:b8:cf:31:47:05:c8:8a:df:64:c0:b6:7b:f6:1b:e5:87:dc:
> eb:19:fb:61:4d:ca:cf:70:18:b5:bf:fd:11:a3:b3:ab:1e:a2:
> 32:f2:b1:97:fc:87:45:05:83:cf:da:25:ee:8b:0b:5d:9e:b3:
> d5:d1:0c:a4
> ********************************************************************************************
> My kdc.crt is as follows:
> ****************************kdc.crt********************************************************
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> d5:61:4d:c6:f6:3e:e9:11
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: OU=gesl, CN=vinay
> Validity
> Not Before: Feb 23 08:52:16 2010 GMT
> Not After : Feb 23 08:52:16 2011 GMT
> Subject: OU=gesl, CN=vinay
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3:
> c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9:
> ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a:
> c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8:
> 6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e:
> 95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb:
> d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9:
> 77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50:
> 57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73:
> 1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2:
> fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e:
> c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93:
> 5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e:
> 8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73:
> ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6:
> bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d:
> 0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d:
> 8b:7f
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment,
> Key Agreement
> X509v3 Extended Key Usage:
> 1.3.6.1.5.2.3.5
> X509v3 Subject Key Identifier:
> 30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83
> X509v3 Authority Key Identifier:
>
> keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83
>
> X509v3 Issuer Alternative Name:
> <EMPTY>
>
> X509v3 Subject Alternative Name:
> othername:<unsupported>
> Signature Algorithm: sha1WithRSAEncryption
> 76:f4:f8:3d:9d:cc:9b:52:4c:27:a2:77:bb:c1:09:2c:8d:1f:
> d0:c6:08:4f:5f:e6:30:50:c0:f8:83:94:b4:91:4e:2d:35:aa:
> 11:d2:8e:4e:70:27:7b:cb:00:89:66:40:17:cf:2b:f0:d3:19:
> 1b:dc:7c:9e:0b:78:b2:b3:df:ef:bd:da:a3:10:49:fc:9c:f7:
> b9:39:06:75:6d:a9:3f:82:67:93:01:9f:ac:ba:bd:aa:0a:85:
> a6:97:8c:a9:00:74:80:d1:80:2b:1c:30:d3:2d:fe:ca:27:98:
> 7d:41:1e:fe:1b:d9:30:ab:c4:1e:84:01:60:d4:12:1b:f1:15:
> 3b:8a:a3:a7:f3:15:c7:54:e4:7b:2a:8b:a7:45:7b:4b:5b:a2:
> 30:c6:bf:6c:fb:39:c2:09:cb:33:1d:5d:19:91:f5:26:5f:09:
> 85:12:60:b6:fb:dc:de:71:7a:9d:5e:32:8f:30:f1:73:10:39:
> f9:e7:24:4b:e4:43:6e:43:84:69:17:6f:95:54:53:f1:a7:83:
> b0:e1:a7:7b:5b:07:e5:ec:c4:ae:9c:39:e3:c4:8c:b2:e9:a6:
> 7d:20:92:3a:d6:6c:64:91:d5:23:f7:5a:a6:96:81:64:b9:30:
> f7:8c:1a:90:03:6d:6b:63:5a:d6:24:1b:e7:2e:75:7b:44:17:
> 58:a3:0e:64
> *********************************************************************************************
> what is the reason for getting this error? Is the method followed to
> generate the certificates is right? Plz kindly guide me.
Both certificates have the same key! That won't work.
They also have the same SubjectName and thus the same issuerName.
I would suggest that you use the OpenSSL ssl/misc/CA.sh script
to generate the CA and other certificates.
Try running the openssl verify command against your CA and user
certs before trying the PKINIT.
If you send the certs in futrue e-mail, send the PEM format too,
so people can verify the signatures too.
>
> Regards,
> Vinay
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list