Hi all,
I had working PKINIT in my test MIT Kerberos realm using certificates
issued by Heimdal, but now all attempts to authenticate with PKINIT are
just failing with the following error in the KDC syslog:
Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25
26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/anonym...@eyrie.org for
krbtgt/eyrie....@eyrie.org, Cannot create cert chain: certificate signature
failure
Any idea what's going on? This appears to be some failure inside OpenSSL,
but it looks like absolutely no information about the error is actually
logged anywhere?
The key piece of information is probably that the certificates (CA, KDC,
and client) were created with Heimdal hxtool.
I was previously successful issuing certs with OpenSSL directly and the
configuration from the wiki, but I'd really rather use hxtool, which is a
much nicer interface. And I'm not sure why it wouldn't work, particularly
since it was previously working just fine (with the same server software
version, although an older MIT Kerberos client version).
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
