Re: PKINIT cert chains
"Nordgren, Bryce L -FS" writes: > You've prompted me to draw a picture. The collection of "intermediate" > certificates is no such thing. I appear to have been given a bag of unrelated > fragments of CA chains. Many apologies for lack of due diligence. PKI tools > are still pretty awkward for me to use. No problem. I think PKI tools are awkward for pretty much everyone to use. > However, I do have the cert for the CA which signed my card (LincPass.cer), > even though it's not a self-signed root CA. I specified it directly in my > pkinit_anchors, but this did not resolve the issue. Does openssl (and thus > MIT Kerberos) require all the certs up to a self signed root certificate, > even when I want to anchor somewhat lower than that? Does this mean the > anchor is really all the way at the root cert, or is it where I want it to be? My experience is that OpenSSL wants to chain to a self-signed root cert. I've tended to hear the term "trust anchor" used in X.509 contexts to mean only a trusted self-signed root certificate. > Pam_pkcs11 is authenticating with these certs for sudo, possibly because it's > using Mozilla nssdb instead of openssl? Thus was I lulled into complacency. It might be that nssdb has the relevant root cert configured in its trust store. I believe the OpenSSL API as we use it in our PKINIT implementation requires that the trusted roots be specified explicitly through the API. -Tom Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: PKINIT cert chains
> Thanks. I think you're missing the "OU=Entrust Managed Services Root CA" > root from that set of certs. You've prompted me to draw a picture. The collection of "intermediate" certificates is no such thing. I appear to have been given a bag of unrelated fragments of CA chains. Many apologies for lack of due diligence. PKI tools are still pretty awkward for me to use. However, I do have the cert for the CA which signed my card (LincPass.cer), even though it's not a self-signed root CA. I specified it directly in my pkinit_anchors, but this did not resolve the issue. Does openssl (and thus MIT Kerberos) require all the certs up to a self signed root certificate, even when I want to anchor somewhat lower than that? Does this mean the anchor is really all the way at the root cert, or is it where I want it to be? Pam_pkcs11 is authenticating with these certs for sudo, possibly because it's using Mozilla nssdb instead of openssl? Thus was I lulled into complacency. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: PKINIT cert chains
Hi Tom, Attached, please find a tarball of config and certs and disposable private keys on my test system (which has both KDC and client). Also, home/bnordgren/mycert1.pem is the cert off of my smart card. In the current state, kdc5.conf has two pkinit_anchors lines, one for the KDC and one for the smart card. The pkinit_pool lines contain all the intermediate certs. Is there any way to tell the client to not make a CA bundle to send to the KDC? If I haven't spoon-fed the KDC what it needs, it should say "no". Bryce > -Original Message- > From: Tom Yu [mailto:t...@mit.edu] > Sent: Thursday, May 21, 2015 3:07 PM > To: Nordgren, Bryce L -FS > Cc: kerberos@mit.edu > Subject: Re: PKINIT cert chains > > "Nordgren, Bryce L -FS" writes: > > > 1] Does my KDC cert have to chain back to the same anchor as my smart > card certificates? > > I think no, in general, but configuration might be more complicated for your > deployment if they're different. > > > 2] Is the error below related to the KDC's cert chain or the smart card's > > cert > chain? > > I'm not sure, but see below for some speculation. > > > Long version: > > == > > > > Digging thru my notes, I rediscovered the KRB5_TRACE environment > variable. As it turns out I didn't have enough "X's" in -XX509_user_identity. > Hence I had no configured identity. Unrecognized options really should > throw an error. > > > > Today's question concerns the assumptions about PKI. My KDC is part of > "my" PKI for my local environment, and clients have my "cacert.pem", > constructed as instructed on the PKINIT configuration webpage. My smart > cards are issued by GSA credentialing centers, and I have provided a valid CA > bundle to the KDC. I am getting: > > > > "Cannot create cert chain: unable to get local issuer certificate" > > This string is coming from cms_signeddata_create() in > pkinit_crypto_openssl.c, so it's probably the client trying to create a cert > chain to send to the KDC with its signed data. > > Have you set the krb5.conf [libdefaults] setting "pkinit_anchors" to point at > cacert.pem? Which certs are in cacert.pem? Are there any intermediate CAs > in the signature chain for the client certs? > > -Tom Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: PKINIT cert chains
"Nordgren, Bryce L -FS" writes: > Attached, please find a tarball of config and certs and disposable private > keys on my test system (which has both KDC and client). Also, > home/bnordgren/mycert1.pem is the cert off of my smart card. Thanks. I think you're missing the "OU=Entrust Managed Services Root CA" root from that set of certs. I couldn't get mycert1.pem to validate with "openssl verify" even after renaming the PEM files in etc/pki/kdc/fs_ca to have .crt suffixes and running c_rehash to make hash symlinks in that directory. > In the current state, kdc5.conf has two pkinit_anchors lines, one for the KDC > and one for the smart card. The pkinit_pool lines contain all the > intermediate certs. Have tried making a concatenated PEM file with the entire cert chain? > Is there any way to tell the client to not make a CA bundle to send to the > KDC? If I haven't spoon-fed the KDC what it needs, it should say "no". Unfortuantely, although there is a "include_certchain" parameter for cms_signeddata_create(), all of the callers in the pkinit module hardcode it to 1 when they call it. I would have to check the RFC to determine whether it's allowed to omit the intermediate certs. -Tom Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: PKINIT cert chains
"Nordgren, Bryce L -FS" writes: > 1] Does my KDC cert have to chain back to the same anchor as my smart card > certificates? I think no, in general, but configuration might be more complicated for your deployment if they're different. > 2] Is the error below related to the KDC's cert chain or the smart card's > cert chain? I'm not sure, but see below for some speculation. > Long version: > == > > Digging thru my notes, I rediscovered the KRB5_TRACE environment variable. As > it turns out I didn't have enough "X's" in -XX509_user_identity. Hence I had > no configured identity. Unrecognized options really should throw an error. > > Today's question concerns the assumptions about PKI. My KDC is part of "my" > PKI for my local environment, and clients have my "cacert.pem", constructed > as instructed on the PKINIT configuration webpage. My smart cards are issued > by GSA credentialing centers, and I have provided a valid CA bundle to the > KDC. I am getting: > > "Cannot create cert chain: unable to get local issuer certificate" This string is coming from cms_signeddata_create() in pkinit_crypto_openssl.c, so it's probably the client trying to create a cert chain to send to the KDC with its signed data. Have you set the krb5.conf [libdefaults] setting "pkinit_anchors" to point at cacert.pem? Which certs are in cacert.pem? Are there any intermediate CAs in the signature chain for the client certs? -Tom Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: PKINIT cert chains
> On Thu, May 21, 2015 at 05:35:23PM +, Nordgren, Bryce L -FS wrote: > > "Cannot create cert chain: unable to get local issuer certificate" > > What from? kinit -X X509_user_identity=PKCS11:opensc-pkcs11.so:certid=01 12001000550...@fedidcard.gov The KDC has a good CA bundle (meaning that CA bundle works to smart-card-enable "sudo" on the same machine with this card). Client has KDC's CA cert. I don't think the KDC is the thing complaining because the client cert is never communicated to it. > In principle, no. In a PKI each relying party can have distinct trust anchor > sets > for authenticating peers, and each node can have root CAs for its own > certificate that are not in the local trust anchor set. To provide the government CA bundle to the client, I added a second pkinit_anchors line in krb5.conf, and a bunch of pkinit_pool lines for the intermediate certs. No luck. Prior to installing the government CA bundle and using the smartcard cert, I signed a cert for the same principal using the same CA as I used for the KDC. (Exactly like the PKINIT Configuration webpage says.) This worked perfect. Switching to the smartcard and the government CA bundle caused my issue. It seems to be an issue on the kinit client side. My assumption was that the client would try to validate the KDC's cert, and the KDC would try to validate the client's cert. Yet when the client started complaining, I had changed neither the KDC's cert nor the anchor the client should have been using. I'll try making a non KDC CA cert with openssl and signing a client cert for the same principal with that. See if the problem goes away or persists. Other than that, I'm out of ideas. Bryce Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: PKINIT cert chains
On Thu, May 21, 2015 at 05:35:23PM +, Nordgren, Bryce L -FS wrote: > "Cannot create cert chain: unable to get local issuer certificate" What from? > Again, there is a single AS_REQ/KRB_ERROR pair to request preauthentication, > with no attempts to contact the KDC after I provide my PIN. > Questions: > > 1] Does my KDC cert have to chain back to the same anchor as my smart card > certificates? In principle, no. In a PKI each relying party can have distinct trust anchor sets for authenticating peers, and each node can have root CAs for its own certificate that are not in the local trust anchor set. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
PKINIT cert chains
Short version === Questions: 1] Does my KDC cert have to chain back to the same anchor as my smart card certificates? 2] Is the error below related to the KDC's cert chain or the smart card's cert chain? Long version: == Digging thru my notes, I rediscovered the KRB5_TRACE environment variable. As it turns out I didn't have enough "X's" in -XX509_user_identity. Hence I had no configured identity. Unrecognized options really should throw an error. Today's question concerns the assumptions about PKI. My KDC is part of "my" PKI for my local environment, and clients have my "cacert.pem", constructed as instructed on the PKINIT configuration webpage. My smart cards are issued by GSA credentialing centers, and I have provided a valid CA bundle to the KDC. I am getting: "Cannot create cert chain: unable to get local issuer certificate" Again, there is a single AS_REQ/KRB_ERROR pair to request preauthentication, with no attempts to contact the KDC after I provide my PIN. Questions: 1] Does my KDC cert have to chain back to the same anchor as my smart card certificates? 2] Is the error above related to the KDC's cert chain or the smart card's cert chain? Thanks, Bryce Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
