Certificate error
Greg Hudson
ghudson at mit.edu
Thu Feb 8 11:39:37 EST 2018
On 02/08/2018 08:51 AM, J.Witvliet at mindef.nl wrote:> [2676]
1518080701.322720: Sending request (154 bytes) to MOD.NL (master)
> kinit: Can't verify certificate while getting initial credentials
>
> Am I correct, in assuming that at the side of the KDC the problem lies;
> that the KDC is unable to retrieve the (sub-)CA's for validating my certificate?
I think that is a correct assumption.
The error came from the KDC, not from the client (because it immediately
follows a 'Sending request' trace log). The message corresponds to the
protocol error code KDC_ERR_CANT_VERIFY_CERTIFICATE. You didn't say
what implementation is used on the KDC, but RFC 4556 prescribes this
error code for when "the KDC cannot build a certification path to
validate the client's certificate". In the MIT krb5 KDC implementation,
we respond with that error code when OpenSSL's X509_verify_cert() yields
a X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT or
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.
More information about the Kerberos
mailing list