[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More on pkinit and proxy certificates

To: Athanasios Moralis <amoral@netmode.ntua.gr>
Subject: Re: More on pkinit and proxy certificates
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Wed, 31 Jan 2007 12:46:49 +0100
Cc: Heimdal-discuss list <heimdal-discuss@sics.se>
In-Reply-To: <45C077F7.8050204@netmode.ntua.gr>
References: <45BFDCD9.3050204@netmode.ntua.gr> <8B7DDE0B-9F29-4F6E-8616-49932D812CE9@kth.se> <45C077F7.8050204@netmode.ntua.gr>
Sender: owner-heimdal-discuss@sics.se

31 jan 2007 kl. 12.05 skrev Athanasios Moralis:

> Love Hörnquist Åstrand wrote:
>>
>> [kdc]
>>     pkinit_allow_proxy_certificate = yes
>>
> is it "yes" or "true", because in the manual it is  
> pkinit_allow_proxy_certificate = false

Its either of "yes" or "true", both is used as a affirmative selection.

> Anyway, I have tested both, but the problem persists.

You restarted the KDC between the runs ?

> 2007-01-31T10:57:00 Looking for PKINIT pa-data -- root@GRIDCC.ORG
> 2007-01-31T10:57:00 PKINIT: failed to verify signature: Key usage  
> missing from CA certificate; Key usage keyCertSign required but  
> missing from certifiate CN=User Name,OU=org  
> unit ,O=organization,C=GR: 569872

Since this seem to be an EE cert on the subject name, I think
the option isn't turned on.

$ hxtool verify --missing-revoke --allow-proxy-certificate cert:FILE:/ 
Users/lha/src/cvs/heimdal/lib/hx509/data/proxy-test.crt chain:FILE:/ 
Users/lha/src/cvs/heimdal/lib/hx509/data/test.crt anchor:FILE:/Users/ 
lha/src/cvs/heimdal/lib/hx509/data/ca.crt
path ok
$ hxtool verify --missing-revoke  cert:FILE:/Users/lha/src/cvs/ 
heimdal/lib/hx509/data/proxy-test.crt chain:FILE:/Users/lha/src/cvs/ 
heimdal/lib/hx509/data/test.crt anchor:FILE:/Users/lha/src/cvs/ 
heimdal/lib/hx509/data/ca.crt
verify_path: Key usage missing from CA certificate; Key usage  
keyCertSign required but missing from certifiate CN=Test cert,C=SE:  
569872


> Is it possible that the error is cased because I use certificates  
> produced with globus grid-proxy-init? The kinit seems to accept it.
> The structure of a globus proxy certificate is :
> -----BEGIN CERTIFICATE-----
> Mfdsfadsfda..... <proxy certificate>
> -----END CERTIFICATE-----
> -----BEGIN RSA PRIVATE KEY-----
> MIIBOwkD1..... <proxy key>
> -----END RSA PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> MIIEVzCCAkIEN..... <certificate
> ----END CERTIFICATE-----

This format is ok.

> To be sure, I have also have manually constructed the pkinit-proxy- 
> chain.crt and pkinit-proxy.key (by coping and paste) to look like  
> the ones in the tests. This also fails using the same error message  
> as shown above. But I am not sure if this is the correct method to  
> produce a proxy cert.

You can issue an proxy cert like this:

hxtool issue-certificate \
	  --ca-certificate=FILE:tee-est.crt,ee-test.key \
	  --issue-proxy \
	  --generate-key=rsa \
	  --certificate="FILE:cert-proxy.der"

Love

References:
- More on pkinit and proxy certificates
  - From: Athanasios Moralis <amoral@netmode.ntua.gr>
- Re: More on pkinit and proxy certificates
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: More on pkinit and proxy certificates
  - From: Athanasios Moralis <amoral@netmode.ntua.gr>

Prev by Date: Re: More on pkinit and proxy certificates
Next by Date: heimdal snapshot on debian (etch) segfaults when using LDAP backend.
Prev by thread: Re: More on pkinit and proxy certificates
Next by thread: Re: More on pkinit and proxy certificates
Index(es):
- Date
- Thread