PKINIT cert chains

Nico Williams nico at
Thu May 21 16:30:03 EDT 2015

On Thu, May 21, 2015 at 05:35:23PM +0000, Nordgren, Bryce L -FS wrote:
> "Cannot create cert chain: unable to get local issuer certificate"

What from?

> Again, there is a single AS_REQ/KRB_ERROR pair to request preauthentication, with no attempts to contact the KDC after I provide my PIN. 
> Questions: 
> 1] Does my KDC cert have to chain back to the same anchor as my smart card certificates?

In principle, no.  In a PKI each relying party can have distinct trust
anchor sets for authenticating peers, and each node can have root CAs
for its own certificate that are not in the local trust anchor set.

More information about the Kerberos mailing list