Cannot create cert chain: certificate signature failure

Russ Allbery eagle at eyrie.org
Sat Sep 5 02:12:55 EDT 2015


Russ Allbery <eagle at eyrie.org> writes:

> I had working PKINIT in my test MIT Kerberos realm using certificates
> issued by Heimdal, but now all attempts to authenticate with PKINIT are
> just failing with the following error in the KDC syslog:

> Sep  4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at EYRIE.ORG for krbtgt/EYRIE.ORG at EYRIE.ORG, Cannot create cert chain: certificate signature failure

> Any idea what's going on?  This appears to be some failure inside OpenSSL,
> but it looks like absolutely no information about the error is actually
> logged anywhere?

> The key piece of information is probably that the certificates (CA, KDC,
> and client) were created with Heimdal hxtool.

> I was previously successful issuing certs with OpenSSL directly and the
> configuration from the wiki, but I'd really rather use hxtool, which is
> a much nicer interface.  And I'm not sure why it wouldn't work,
> particularly since it was previously working just fine (with the same
> server software version, although an older MIT Kerberos client version).

I should have added:

Client: MIT Kerberos 1.13.2
Server: Tried both MIT Kerberos 1.10.1 and 1.13.2

With 1.10.1, I got the infamous "Cannot allocate memory" error with
PKINIT, but got the "certificate signature failure" error when trying to
use a client certificate.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list