PKINIT cert chains
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Thu May 21 19:57:27 EDT 2015
> Thanks. I think you're missing the "OU=Entrust Managed Services Root CA"
> root from that set of certs.
You've prompted me to draw a picture. The collection of "intermediate" certificates is no such thing. I appear to have been given a bag of unrelated fragments of CA chains. Many apologies for lack of due diligence. PKI tools are still pretty awkward for me to use.
However, I do have the cert for the CA which signed my card (LincPass.cer), even though it's not a self-signed root CA. I specified it directly in my pkinit_anchors, but this did not resolve the issue. Does openssl (and thus MIT Kerberos) require all the certs up to a self signed root certificate, even when I want to anchor somewhat lower than that? Does this mean the anchor is really all the way at the root cert, or is it where I want it to be?
Pam_pkcs11 is authenticating with these certs for sudo, possibly because it's using Mozilla nssdb instead of openssl? Thus was I lulled into complacency.
More information about the Kerberos
mailing list