[Pki-users] X.509 preauth
Fraser Tweedale
ftweedal at redhat.com
Sun Nov 1 22:17:08 UTC 2015
On Fri, Oct 30, 2015 at 11:09:20PM +0100, Pascal Jakobi wrote:
> Hi there
>
> I am trying to run pkinit/X.509 with the standard MIT rpms delivered on
> CentOS/Fedora/RHEL.
> I have created the certificates with OpenSSL, everything looks fine - I have
> a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and the
> corresponding KDC cert and CA cert have been checked.
> I also modified the principal with kadmin : "modprinc +requires_preauth
> toto".
>
> I run kinit for the "toto" principal with KRB5_TRACE set. I can see that the
> KDC sends the following to the client :
>
> [6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133
>
> PA-PK-AS-REQ (16), which I understand is for X.509 certificate
> preauthentication, is not in the list.
>
> I guess something is therefore wrong on my KDC configuration, but I cannot
> see what.
> Can someone enlight me ?
> Thanks in advance
>
> --
> Pascal Jakobi <mailto:pascal.jakobi at gmail.com>
> 116 rue de Stalingrad, 93100 Montreuil
> France
> Tel : +33 6 87 47 58 19
> [logging]
> default = FILE:/var/log/kerberos/krb5libs.log
> kdc = FILE:/var/log/kerberos/krb5kdc.log
> kdc = SYSLOG:DEBUG:LOCAL1
> admin_server = FILE:/var/log/kerberos/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_realm = THALES.COM
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> THALES.COM = {
> kdc = kdc.jakobi.fr
> admin_server = kdc.jakobi.fr
> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem
> }
>
> [domain_realm]
> .jakobi.fr = THALES.COM
> jakobi.fr = THALES.COM
Hi Pascal,
FYI, this mailing list is for Dogtag Certificate System questions.
Anyhow, did you read the MIT Kerberos pkinit guide[1]? It looks
like the space after the comma in the `pkinit_anchors' directive
should not be there.
[1] http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html#configuring-the-kdc
Cheers,
Fraser
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list