PKINIT cert chains

Tom Yu tlyu at
Thu May 21 17:07:21 EDT 2015

"Nordgren, Bryce L -FS" <bnordgren at> writes:

> 1] Does my KDC cert have to chain back to the same anchor as my smart card certificates?

I think no, in general, but configuration might be more complicated for
your deployment if they're different.

> 2] Is the error below related to the KDC's cert chain or the smart card's cert chain?

I'm not sure, but see below for some speculation.

> Long version: 
> ==========
> Digging thru my notes, I rediscovered the KRB5_TRACE environment variable. As it turns out I didn't have enough "X's" in -XX509_user_identity. Hence I had no configured identity. Unrecognized options really should throw an error. 
> Today's question concerns the assumptions about PKI. My KDC is part of "my" PKI for my local environment, and clients have my "cacert.pem", constructed as instructed on the PKINIT configuration webpage. My smart cards are issued by GSA credentialing centers, and I have provided a valid CA bundle to the KDC. I am getting:
> "Cannot create cert chain: unable to get local issuer certificate"

This string is coming from cms_signeddata_create() in
pkinit_crypto_openssl.c, so it's probably the client trying to create a
cert chain to send to the KDC with its signed data.

Have you set the krb5.conf [libdefaults] setting "pkinit_anchors" to
point at cacert.pem?  Which certs are in cacert.pem?  Are there any
intermediate CAs in the signature chain for the client certs?


More information about the Kerberos mailing list