Re: [Muscle] FC6 and pkcs11_inspect

Tue, 28 Nov 2006 14:14:53 -0800 

Greg wrote:
IIRC from another mailing list I am on, the Fedora version may use `certutil` instead of pam_pkcs11's `make_hash_link.sh` to create links to each of the CAs, and I am not sure if they keep them (the CAs) in the same place as the normal pam_pkcs11. 

I'll try to find certutil when I get home. Given that I need my CAC
for work, I can only debug my home computer at night. :(


running `pkcs11_inspect debug` and making note of:
A) did it ask for a PIN/Password.

B) if it did (A), did it then spit out  'X.509 certificate found' and a 
little later 'certificate is valid'?


A) Yes
B) No

Let me find the cut and paste version of the info it printed.


tantalus 2% pkcs11_inspect 

<SNIP>

PIN for token: 
DEBUG:pkcs11_inspect.c:101: PIN = [XXXXXXX]

DEBUG:pkcs11.c:399: cert 0: found (HENNESSY.GREGORY.S.XXXXXXXXXX:CAC ID Certificate), 
"CN=HENNESSY.GREGORY.S.XXXXXXXXXX,OU=XXX,OU=PKI,OU=DoD,O=U.S. Government,C=US"
DEBUG:pkcs11.c:399: cert 1: found (HENNESSY.GREGORY.S.XXXXXXXXXX:CAC Email Signature 
Certificate), "CN=HENNESSY.GREGORY.S.XXXXXXXXXX,OU=XXX,OU=PKI,OU=DoD,O=U.S.
Government,C=US"


<SNIP>

DEBUG:pkcs11_inspect.c:139: verifing the certificate for the key #1
DEBUG:cert_vfy.c:37: Verifying Cert: HENNESSY.GREGORY.S.XXXXXXXXXX:CAC ID 
Certificate (CN=HENNESSY.GREGORY.S.XXXXXXXXXX,OU=XXX,OU=PKI,OU=DoD,O=U.S. 
Government,C=US)
DEBUG:cert_vfy.c:41: Couldn't verify Cert: Peer's Certificate issuer is not 
recognized.

DEBUG:pkcs11_inspect.c:152: verify_certificate() failed: 
DEBUG:pkcs11_inspect.c:139: verifing the certificate for the key #2

DEBUG:cert_vfy.c:37: Verifying Cert: HENNESSY.GREGORY.S.1228899166:CAC Email 
Signature Certificate 
(CN=HENNESSY.GREGORY.S.1228899166,OU=USN,OU=PKI,OU=DoD,O=U.S.
Government,C=US)
DEBUG:cert_vfy.c:41: Couldn't verify Cert: Peer's Certificate issuer is not 
recognized.

                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<SNIP>
As I expected.

You need to get pam_pkcs11 to recognize your (The DoD) CAs, i.e., `certutil` 
or `make_hash_link.sh` (as supplied for FC6) on the appropriate CA files.



--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle























					Reply via email to