Russ Allbery <[email protected]> writes:
> I had working PKINIT in my test MIT Kerberos realm using certificates
> issued by Heimdal, but now all attempts to authenticate with PKINIT are
> just failing with the following error in the KDC syslog:
> Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25
> 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/[email protected] for
> krbtgt/[email protected], Cannot create cert chain: certificate signature
> failure
> Any idea what's going on? This appears to be some failure inside OpenSSL,
> but it looks like absolutely no information about the error is actually
> logged anywhere?
> The key piece of information is probably that the certificates (CA, KDC,
> and client) were created with Heimdal hxtool.
> I was previously successful issuing certs with OpenSSL directly and the
> configuration from the wiki, but I'd really rather use hxtool, which is
> a much nicer interface. And I'm not sure why it wouldn't work,
> particularly since it was previously working just fine (with the same
> server software version, although an older MIT Kerberos client version).
I should have added:
Client: MIT Kerberos 1.13.2
Server: Tried both MIT Kerberos 1.10.1 and 1.13.2
With 1.10.1, I got the infamous "Cannot allocate memory" error with
PKINIT, but got the "certificate signature failure" error when trying to
use a client certificate.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
