[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: More on pkinit and proxy certificates
31 jan 2007 kl. 12.05 skrev Athanasios Moralis:
> Love Hörnquist Åstrand wrote:
>>
>> [kdc]
>> pkinit_allow_proxy_certificate = yes
>>
> is it "yes" or "true", because in the manual it is
> pkinit_allow_proxy_certificate = false
Its either of "yes" or "true", both is used as a affirmative selection.
> Anyway, I have tested both, but the problem persists.
You restarted the KDC between the runs ?
> 2007-01-31T10:57:00 Looking for PKINIT pa-data -- root@GRIDCC.ORG
> 2007-01-31T10:57:00 PKINIT: failed to verify signature: Key usage
> missing from CA certificate; Key usage keyCertSign required but
> missing from certifiate CN=User Name,OU=org
> unit ,O=organization,C=GR: 569872
Since this seem to be an EE cert on the subject name, I think
the option isn't turned on.
$ hxtool verify --missing-revoke --allow-proxy-certificate cert:FILE:/
Users/lha/src/cvs/heimdal/lib/hx509/data/proxy-test.crt chain:FILE:/
Users/lha/src/cvs/heimdal/lib/hx509/data/test.crt anchor:FILE:/Users/
lha/src/cvs/heimdal/lib/hx509/data/ca.crt
path ok
$ hxtool verify --missing-revoke cert:FILE:/Users/lha/src/cvs/
heimdal/lib/hx509/data/proxy-test.crt chain:FILE:/Users/lha/src/cvs/
heimdal/lib/hx509/data/test.crt anchor:FILE:/Users/lha/src/cvs/
heimdal/lib/hx509/data/ca.crt
verify_path: Key usage missing from CA certificate; Key usage
keyCertSign required but missing from certifiate CN=Test cert,C=SE:
569872
> Is it possible that the error is cased because I use certificates
> produced with globus grid-proxy-init? The kinit seems to accept it.
> The structure of a globus proxy certificate is :
> -----BEGIN CERTIFICATE-----
> Mfdsfadsfda..... <proxy certificate>
> -----END CERTIFICATE-----
> -----BEGIN RSA PRIVATE KEY-----
> MIIBOwkD1..... <proxy key>
> -----END RSA PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> MIIEVzCCAkIEN..... <certificate
> ----END CERTIFICATE-----
This format is ok.
> To be sure, I have also have manually constructed the pkinit-proxy-
> chain.crt and pkinit-proxy.key (by coping and paste) to look like
> the ones in the tests. This also fails using the same error message
> as shown above. But I am not sure if this is the correct method to
> produce a proxy cert.
You can issue an proxy cert like this:
hxtool issue-certificate \
--ca-certificate=FILE:tee-est.crt,ee-test.key \
--issue-proxy \
--generate-key=rsa \
--certificate="FILE:cert-proxy.der"
Love