"Nordgren, Bryce L -FS" <bnordg...@fs.fed.us> writes: > Attached, please find a tarball of config and certs and disposable private > keys on my test system (which has both KDC and client). Also, > home/bnordgren/mycert1.pem is the cert off of my smart card.
Thanks. I think you're missing the "OU=Entrust Managed Services Root CA" root from that set of certs. I couldn't get mycert1.pem to validate with "openssl verify" even after renaming the PEM files in etc/pki/kdc/fs_ca to have .crt suffixes and running c_rehash to make hash symlinks in that directory. > In the current state, kdc5.conf has two pkinit_anchors lines, one for the KDC > and one for the smart card. The pkinit_pool lines contain all the > intermediate certs. Have tried making a concatenated PEM file with the entire cert chain? > Is there any way to tell the client to not make a CA bundle to send to the > KDC? If I haven't spoon-fed the KDC what it needs, it should say "no". Unfortuantely, although there is a "include_certchain" parameter for cms_signeddata_create(), all of the callers in the pkinit module hardcode it to 1 when they call it. I would have to check the RFC to determine whether it's allowed to omit the intermediate certs. -Tom ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos