PKINIT cert chains

Tom Yu tlyu at
Thu May 21 19:03:03 EDT 2015

"Nordgren, Bryce L -FS" <bnordgren at> writes:

> Attached, please find a tarball of config and certs and disposable private keys on my test system (which has both KDC and client). Also, home/bnordgren/mycert1.pem is the cert off of my smart card.

Thanks.  I think you're missing the "OU=Entrust Managed Services Root
CA" root from that set of certs.  I couldn't get mycert1.pem to validate
with "openssl verify" even after renaming the PEM files in
etc/pki/kdc/fs_ca to have .crt suffixes and running c_rehash to make
hash symlinks in that directory.

> In the current state, kdc5.conf has two pkinit_anchors lines, one for the KDC and one for the smart card. The pkinit_pool lines contain all the intermediate certs. 

Have tried making a concatenated PEM file with the entire cert chain?

> Is there any way to tell the client to not make a CA bundle to send to the KDC? If I haven't spoon-fed the KDC what it needs, it should say "no". 

Unfortuantely, although there is a "include_certchain" parameter for
cms_signeddata_create(), all of the callers in the pkinit module
hardcode it to 1 when they call it.  I would have to check the RFC to
determine whether it's allowed to omit the intermediate certs.


More information about the Kerberos mailing list