X.509 preauth

Greg Hudson ghudson at mit.edu
Fri Oct 30 23:18:25 EDT 2015

On 10/30/2015 06:14 PM, Pascal Jakobi wrote:
> PA-PK-AS-REQ (16), which I understand is for X.509 certificate
> preauthentication, is not in the list.

[From krb5.conf]
>   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>   pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem

You should put the KDC certificate paths in "pkinit_identity", and the
client certificate paths in "pkinit_identities".  (These are two of the
most confusingly named variables in krb5.conf, and we are considering
introducing new names for them and deprecating the old ones.)

Since the KDC isn't seeing a "pkinit_identity" configured, it isn't
offering PKINIT.

If you haven't read it already, see:


More information about the krbdev mailing list