PKINIT cert chains

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Thu May 21 16:58:46 EDT 2015



> On Thu, May 21, 2015 at 05:35:23PM +0000, Nordgren, Bryce L -FS wrote:
> > "Cannot create cert chain: unable to get local issuer certificate"
> 
> What from?

kinit -X X509_user_identity=PKCS11:opensc-pkcs11.so:certid=01 12001000550281 at FEDIDCARD.GOV

The KDC has a good CA bundle (meaning that CA bundle works to smart-card-enable "sudo" on the same machine with this card). Client has KDC's CA cert. I don't think the KDC is the thing complaining because the client cert is never communicated to it. 

> In principle, no.  In a PKI each relying party can have distinct trust anchor sets
> for authenticating peers, and each node can have root CAs for its own
> certificate that are not in the local trust anchor set.

To  provide the government CA bundle to the client, I added a second pkinit_anchors line in krb5.conf, and a bunch of pkinit_pool lines for the intermediate certs. No luck. 

Prior to installing the government CA bundle and using the smartcard cert, I signed a cert for the same principal using the same CA as I used for the KDC. (Exactly like the PKINIT Configuration webpage says.) This worked perfect. Switching to the smartcard and the government CA bundle caused my issue. It seems to be an issue on the kinit client side.

My assumption was that the client would try to validate the KDC's cert, and the KDC would try to validate the client's cert. Yet when the client started complaining, I had changed neither the KDC's cert nor the anchor the client should have been using. 

I'll try making a non KDC CA cert with openssl and signing a client cert for the same principal with that. See if the problem goes away or persists. Other than that, I'm out of ideas.

Bryce



More information about the Kerberos mailing list