"Nordgren, Bryce L -FS" <bnordg...@fs.fed.us> writes: > 1] Does my KDC cert have to chain back to the same anchor as my smart card > certificates?
I think no, in general, but configuration might be more complicated for your deployment if they're different. > 2] Is the error below related to the KDC's cert chain or the smart card's > cert chain? I'm not sure, but see below for some speculation. > Long version: > ========== > > Digging thru my notes, I rediscovered the KRB5_TRACE environment variable. As > it turns out I didn't have enough "X's" in -XX509_user_identity. Hence I had > no configured identity. Unrecognized options really should throw an error. > > Today's question concerns the assumptions about PKI. My KDC is part of "my" > PKI for my local environment, and clients have my "cacert.pem", constructed > as instructed on the PKINIT configuration webpage. My smart cards are issued > by GSA credentialing centers, and I have provided a valid CA bundle to the > KDC. I am getting: > > "Cannot create cert chain: unable to get local issuer certificate" This string is coming from cms_signeddata_create() in pkinit_crypto_openssl.c, so it's probably the client trying to create a cert chain to send to the KDC with its signed data. Have you set the krb5.conf [libdefaults] setting "pkinit_anchors" to point at cacert.pem? Which certs are in cacert.pem? Are there any intermediate CAs in the signature chain for the client certs? -Tom ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos