Hi all, I have enabled PKINIT, but when i try to do kinit -X X509_user_identity=FILE:/client/client.crt,/client/client.key vinay i am getting following error:
kinit(v5): Invalid signature while getting initial credentials client.crt and kdc.crt both are signed by ca.key. The method i have adopted to generate certificate is as follows: /************ CA certificates ***********/ openssl genrsa -out ca.key 2048 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt at the end of this i have ca.crt and ca.key which is self signed /************* END of CA crt **************/ /************* Client certificate *********/ openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -signkey -extfile extension.c ca.key -extensions client_cert -out client.crt at the end of this i have client.crt and client.key which is signed by the ca.key /************* END of client crt ***********/ /************* KDC certificate *************/ openssl genrsa -out kdc.key 2048 openssl req -new -key kdc.key -out kdc.csr openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extfile extension.c -extensions kdc_cert -out kdc.crt /************* END of KDC crt **************/ extension file contains the details for including extensions which is contains the data from following link: http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html ***************************client.crt************************************************** Certificate: Data: Version: 3 (0x2) Serial Number: d4:f0:fe:50:5f:4a:13:ba Signature Algorithm: sha1WithRSAEncryption Issuer: OU=gesl, CN=vinay Validity Not Before: Feb 23 08:50:32 2010 GMT Not After : Feb 23 08:50:32 2011 GMT Subject: OU=gesl, CN=vinay Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3: c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9: ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a: c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8: 6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e: 95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb: d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9: 77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50: 57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73: 1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2: fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e: c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93: 5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e: 8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73: ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6: bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d: 0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d: 8b:7f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: 1.3.6.1.5.2.3.4 X509v3 Subject Key Identifier: 30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 X509v3 Authority Key Identifier: keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 X509v3 Subject Alternative Name: othername:<unsupported> X509v3 Issuer Alternative Name: othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption 31:85:60:ff:18:7c:5f:9f:b7:73:92:f9:89:4b:03:24:26:b9: 8e:e0:11:5a:2d:a5:fb:06:e3:de:c1:9b:a5:75:4c:0b:f3:2f: b5:f5:97:13:d0:42:ee:af:b1:e3:30:32:5b:95:8d:ed:3f:2a: f6:0a:50:24:13:b2:4a:59:14:85:f9:92:22:5d:c3:f4:07:31: 1b:73:9f:76:c7:de:30:53:46:61:d4:11:6d:f3:18:40:09:c0: 04:d3:81:38:2b:46:4d:13:38:44:e9:57:d1:e7:dc:04:49:bf: 09:b4:cb:98:84:c2:57:bd:83:f9:b9:f5:17:95:9c:63:c8:30: e5:88:1b:19:7d:bd:02:21:f8:a0:9d:91:d9:f5:6b:a2:fb:72: 4a:ad:a4:a3:4c:f7:e2:74:7a:27:3f:b0:9c:61:d1:51:73:eb: d6:c0:7c:07:47:10:59:bf:a9:23:90:a0:f4:61:e5:59:3d:28: df:67:6d:ad:54:8d:31:fe:03:af:4f:ba:b8:cd:1a:4d:16:33: 47:b8:cf:31:47:05:c8:8a:df:64:c0:b6:7b:f6:1b:e5:87:dc: eb:19:fb:61:4d:ca:cf:70:18:b5:bf:fd:11:a3:b3:ab:1e:a2: 32:f2:b1:97:fc:87:45:05:83:cf:da:25:ee:8b:0b:5d:9e:b3: d5:d1:0c:a4 ******************************************************************************************** My kdc.crt is as follows: ****************************kdc.crt******************************************************** Certificate: Data: Version: 3 (0x2) Serial Number: d5:61:4d:c6:f6:3e:e9:11 Signature Algorithm: sha1WithRSAEncryption Issuer: OU=gesl, CN=vinay Validity Not Before: Feb 23 08:52:16 2010 GMT Not After : Feb 23 08:52:16 2011 GMT Subject: OU=gesl, CN=vinay Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3: c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9: ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a: c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8: 6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e: 95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb: d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9: 77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50: 57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73: 1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2: fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e: c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93: 5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e: 8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73: ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6: bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d: 0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d: 8b:7f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement X509v3 Extended Key Usage: 1.3.6.1.5.2.3.5 X509v3 Subject Key Identifier: 30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 X509v3 Authority Key Identifier: keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 X509v3 Issuer Alternative Name: <EMPTY> X509v3 Subject Alternative Name: othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption 76:f4:f8:3d:9d:cc:9b:52:4c:27:a2:77:bb:c1:09:2c:8d:1f: d0:c6:08:4f:5f:e6:30:50:c0:f8:83:94:b4:91:4e:2d:35:aa: 11:d2:8e:4e:70:27:7b:cb:00:89:66:40:17:cf:2b:f0:d3:19: 1b:dc:7c:9e:0b:78:b2:b3:df:ef:bd:da:a3:10:49:fc:9c:f7: b9:39:06:75:6d:a9:3f:82:67:93:01:9f:ac:ba:bd:aa:0a:85: a6:97:8c:a9:00:74:80:d1:80:2b:1c:30:d3:2d:fe:ca:27:98: 7d:41:1e:fe:1b:d9:30:ab:c4:1e:84:01:60:d4:12:1b:f1:15: 3b:8a:a3:a7:f3:15:c7:54:e4:7b:2a:8b:a7:45:7b:4b:5b:a2: 30:c6:bf:6c:fb:39:c2:09:cb:33:1d:5d:19:91:f5:26:5f:09: 85:12:60:b6:fb:dc:de:71:7a:9d:5e:32:8f:30:f1:73:10:39: f9:e7:24:4b:e4:43:6e:43:84:69:17:6f:95:54:53:f1:a7:83: b0:e1:a7:7b:5b:07:e5:ec:c4:ae:9c:39:e3:c4:8c:b2:e9:a6: 7d:20:92:3a:d6:6c:64:91:d5:23:f7:5a:a6:96:81:64:b9:30: f7:8c:1a:90:03:6d:6b:63:5a:d6:24:1b:e7:2e:75:7b:44:17: 58:a3:0e:64 ********************************************************************************************* what is the reason for getting this error? Is the method followed to generate the certificates is right? Plz kindly guide me. Regards, Vinay ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
