PKINIT client has no configured identity; giving up?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sun Jul 27 19:17:56 EDT 2025
>I'm testing out PKINIT and encountered this error in the subject line.
>Does anyone know what it's related to and/or how to debug and resolve
>it further?
>
>So far, PKINIT talks to the KDC, receives an MIT cookie and loads the
>identity files: client0.pem and clientkey0.pem being invoked by 'kinit
>-X X509_user_identity=FILE:/client0.pem,/clientkey0.pem". I'm still
>being requested to provide a password, which I understand should not
>be required with PKINIT.
About a half-dozen things could cause that error; for example, if
you didn't configure PKINIT with the correct root and intermediate
certificates so the client couldn't build a complete chain back to a
trusted root, you'd get that.
I was going to suggest you use the KRB5_TRACE environment variable to
get further debug output, but I think if you got that message then you
already did that; what is causing the root issue should be in that
trace information (before that message).
BTW, I believe that if your client key is protected with a password then
you might get a password prompt for the key.
--Ken
More information about the Kerberos
mailing list