> when i do a grid-cert-info with the kerberized credential > > ... > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Extended Key Usage: > 1.3.6.1.5.2.3.4 > X509v3 Key Usage: critical > Digital Signature, Key Encipherment, Key Agreement > 1.3.6.1.4.1.3536.1.222: critical > 0.0 > ..+....... > Signature Algorithm: md5WithRSAEncryption > ...
This looks like an end entity certificate. > where as a normal credential shows > ... > X509v3 extensions: > Proxy Certificate Information: critical > Path Length Constraint: infinite > Policy Language: Inherit all > ... This is a proxy certificate. > Which would appear to have overwritten the proxy extensions with the > kerberos rather than appending them? Could it be instead that you created a proxy certificate from the end entity certificate, so the end entity certificate still has the extensions you want, but it's no longer the last certificate in the chain? I suggest looking in the file at 'grid-proxy-info -path' to see the different certificates in the certificate chain. > WHat is the correct way to merge this or is it even possible? to get > mit's pkinit to work with globus credentials ? My guess is that pkinit doesn't understand proxy certificates, so you need to restrict yourself to end entity certificates. Some possible options: 1) After you do myproxy-admin-adduser, use myproxy-retrieve rather than myproxy-logon so you get an end entity certificate rather than a proxy certificate. In this case you'll need to set authorized_key_retrievers & default_key_retrievers in myproxy-server.config and also possibly use 'myproxy-admin-adduser -E' depending on your value of default_key_retrievers to allow direct access to the end entity credential rather than just access to proxy credentials. 2) Rather than using myproxy-admin-adduser, setup a MyProxy CA (http://myproxy.ncsa.uiuc.edu/ca) to issue end entity credentials. In this case, you can use certificate_extfile or certificate_extapp to include the kinit extensions in the issued certificates. 3) In case pkinit can work with proxy certificates (i.e., using a recent OpenSSL version with OPENSSL_ALLOW_PROXY set to a non-empty value in the environment), and for some reason pkinit isn't finding the extension in the end entity certificate in the certificate chain, you can tell MyProxy to include extensions in proxy certificates using the myproxy-server.config proxy_extfile or proxy_extapp settings. Hope that helps. -Jim
