PKINIT cert chains
tlyu at mit.edu
Thu May 21 19:03:03 EDT 2015
"Nordgren, Bryce L -FS" <bnordgren at fs.fed.us> writes:
> Attached, please find a tarball of config and certs and disposable private keys on my test system (which has both KDC and client). Also, home/bnordgren/mycert1.pem is the cert off of my smart card.
Thanks. I think you're missing the "OU=Entrust Managed Services Root
CA" root from that set of certs. I couldn't get mycert1.pem to validate
with "openssl verify" even after renaming the PEM files in
etc/pki/kdc/fs_ca to have .crt suffixes and running c_rehash to make
hash symlinks in that directory.
> In the current state, kdc5.conf has two pkinit_anchors lines, one for the KDC and one for the smart card. The pkinit_pool lines contain all the intermediate certs.
Have tried making a concatenated PEM file with the entire cert chain?
> Is there any way to tell the client to not make a CA bundle to send to the KDC? If I haven't spoon-fed the KDC what it needs, it should say "no".
Unfortuantely, although there is a "include_certchain" parameter for
cms_signeddata_create(), all of the callers in the pkinit module
hardcode it to 1 when they call it. I would have to check the RFC to
determine whether it's allowed to omit the intermediate certs.
More information about the Kerberos