PKINIT cert chains
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Thu May 21 13:35:23 EDT 2015
Short version
===========
Questions:
1] Does my KDC cert have to chain back to the same anchor as my smart card certificates?
2] Is the error below related to the KDC's cert chain or the smart card's cert chain?
Long version:
==========
Digging thru my notes, I rediscovered the KRB5_TRACE environment variable. As it turns out I didn't have enough "X's" in -XX509_user_identity. Hence I had no configured identity. Unrecognized options really should throw an error.
Today's question concerns the assumptions about PKI. My KDC is part of "my" PKI for my local environment, and clients have my "cacert.pem", constructed as instructed on the PKINIT configuration webpage. My smart cards are issued by GSA credentialing centers, and I have provided a valid CA bundle to the KDC. I am getting:
"Cannot create cert chain: unable to get local issuer certificate"
Again, there is a single AS_REQ/KRB_ERROR pair to request preauthentication, with no attempts to contact the KDC after I provide my PIN.
Questions:
1] Does my KDC cert have to chain back to the same anchor as my smart card certificates?
2] Is the error above related to the KDC's cert chain or the smart card's cert chain?
Thanks,
Bryce
More information about the Kerberos
mailing list