PKINIT AS-REP "Invalid Signature" (was : PKINIT and -nokey)

Siddharth Mathur smathur at
Tue Jan 13 01:35:39 EST 2015

> CMS Verification failure
> failed to verify pkcs7 signed data
> pkinit_as_rep_parse returning -1765328320 (Invalid signature)
> pkinit_as_rep_parse returned -1765328320 (Invalid signature)
> pkinit_client_process: returning -1765328320 (Invalid signature)

To close this thread, this invalid signature error on the client-side
was due to mismatched X.509 certificates being fed to the KDC
configuration file in "pkinit_identity". Ensuring that they were the
right private key/public key pair fixed the problem.

Of course, the KDC logs didn't mention any errors during or after
startup about this configuration error, but that's another issue ;) .


More information about the Kerberos mailing list