recent certificate failure for pkinit
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Jul 8 21:29:32 EDT 2024
>> KDC:
>> KDC_RETURN_PADATA:WELLKNOWN/ANONYMOUS at EXAMPLE.COM for krbtgt/
>> EXAMPLE.COM at EXAMPLE.COM, Failed to verify own certificate (depth 0): unable
>> to get local issuer certificate
>
>I've run into this error before. MIT's KDC, for some bizarre reason,
>insists that its server cert validate against the same set of CAs used
>to authorize client PKINIT certs. This is insecure and a terrible idea,
>but oh well. So make sure that the KDC server cert validates against the
>set of CAs you've specified in the config file.
The full chain is needed on the KDC side so intermediate certificates
can be sent in the CMS object, and the easiest way to get the full chain
with OpenSSL is to call X509_verify_cert().
However, I disagree with your assertion that this is insecure. In my
experience certificates used by the KDC and clients are all issued by
the same PKI, so there's nothing insecure about trusting the same set
of certificates for both (and in the above example if you are using
anonymous PKINIT you're not using a client certificate anyway).
If I was in the situation where client certificates were issued by a
different PKI than the KDC certificate and I didn't trust the PKI
that was issuing the KDC certificate I would probably write a certauth
plugin to reject client certificates signed by the "wrong" PKI.
--Ken
More information about the Kerberos
mailing list