Hi all, I had working PKINIT in my test MIT Kerberos realm using certificates issued by Heimdal, but now all attempts to authenticate with PKINIT are just failing with the following error in the KDC syslog:
Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/anonym...@eyrie.org for krbtgt/eyrie....@eyrie.org, Cannot create cert chain: certificate signature failure Any idea what's going on? This appears to be some failure inside OpenSSL, but it looks like absolutely no information about the error is actually logged anywhere? The key piece of information is probably that the certificates (CA, KDC, and client) were created with Heimdal hxtool. I was previously successful issuing certs with OpenSSL directly and the configuration from the wiki, but I'd really rather use hxtool, which is a much nicer interface. And I'm not sure why it wouldn't work, particularly since it was previously working just fine (with the same server software version, although an older MIT Kerberos client version). -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos