PKINIT cert chains

Nordgren, Bryce L -FS bnordgren at
Thu May 21 18:06:32 EDT 2015

Hi Tom,

Attached, please find a tarball of config and certs and disposable private keys on my test system (which has both KDC and client). Also, home/bnordgren/mycert1.pem is the cert off of my smart card.

In the current state, kdc5.conf has two pkinit_anchors lines, one for the KDC and one for the smart card. The pkinit_pool lines contain all the intermediate certs. 

Is there any way to tell the client to not make a CA bundle to send to the KDC? If I haven't spoon-fed the KDC what it needs, it should say "no". 


> -----Original Message-----
> From: Tom Yu [mailto:tlyu at]
> Sent: Thursday, May 21, 2015 3:07 PM
> To: Nordgren, Bryce L -FS
> Cc: kerberos at
> Subject: Re: PKINIT cert chains
> "Nordgren, Bryce L -FS" <bnordgren at> writes:
> > 1] Does my KDC cert have to chain back to the same anchor as my smart
> card certificates?
> I think no, in general, but configuration might be more complicated for your
> deployment if they're different.
> > 2] Is the error below related to the KDC's cert chain or the smart card's cert
> chain?
> I'm not sure, but see below for some speculation.
> > Long version:
> > ==========
> >
> > Digging thru my notes, I rediscovered the KRB5_TRACE environment
> variable. As it turns out I didn't have enough "X's" in -XX509_user_identity.
> Hence I had no configured identity. Unrecognized options really should
> throw an error.
> >
> > Today's question concerns the assumptions about PKI. My KDC is part of
> "my" PKI for my local environment, and clients have my "cacert.pem",
> constructed as instructed on the PKINIT configuration webpage. My smart
> cards are issued by GSA credentialing centers, and I have provided a valid CA
> bundle to the KDC. I am getting:
> >
> > "Cannot create cert chain: unable to get local issuer certificate"
> This string is coming from cms_signeddata_create() in
> pkinit_crypto_openssl.c, so it's probably the client trying to create a cert
> chain to send to the KDC with its signed data.
> Have you set the krb5.conf [libdefaults] setting "pkinit_anchors" to point at
> cacert.pem?  Which certs are in cacert.pem?  Are there any intermediate CAs
> in the signature chain for the client certs?
> -Tom

More information about the Kerberos mailing list