Semantics for multiple pkinit_anchors/pkinit_pool lines

Greg Hudson ghudson at
Thu Jan 28 00:25:44 EST 2021

On 1/27/21 9:45 PM, Ken Hornstein wrote:
> Our implementation was changed so all errors were ignored when loading
> the root and intermediate certificates.  This hasn't been a problem in
> practice, but I realize it might not be ideal.

It wouldn't break anyone's working configuration, but it could obscure
the reason for a new configuration not working.  In the most likely case
where you have one anchor specification and it isn't right, the KDC
currently logs:

  preauth pkinit failed to initialize: PKINIT initialization failed:
Cannot open file '...': No such file or directory

and we'd lose that if errors were ignored.  The trace log (where you'd
have to look on the client side) is pretty helpful with or without the
error being ignored.

  PKINIT OpenSSL error: Cannot open file '...'
  PKINIT OpenSSL error: error:02001002:system library:fopen:No such file
or directory

> Keep track of errors and make it so it won't error out if at least
> one pkinit_anchors line works

This is probably fine.  We'd still get our KDC log if there's one anchor
location and it can't be loaded, and the trace log would still note
which paths failed to load.

More information about the krbdev mailing list