Cannot create cert chain: certificate signature failure

Russ Allbery eagle at eyrie.org
Sat Sep 5 01:57:41 EDT 2015


Hi all,

I had working PKINIT in my test MIT Kerberos realm using certificates
issued by Heimdal, but now all attempts to authenticate with PKINIT are
just failing with the following error in the KDC syslog:

Sep  4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at EYRIE.ORG for krbtgt/EYRIE.ORG at EYRIE.ORG, Cannot create cert chain: certificate signature failure

Any idea what's going on?  This appears to be some failure inside OpenSSL,
but it looks like absolutely no information about the error is actually
logged anywhere?

The key piece of information is probably that the certificates (CA, KDC,
and client) were created with Heimdal hxtool.

I was previously successful issuing certs with OpenSSL directly and the
configuration from the wiki, but I'd really rather use hxtool, which is a
much nicer interface.  And I'm not sure why it wouldn't work, particularly
since it was previously working just fine (with the same server software
version, although an older MIT Kerberos client version).

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list