On Wed, Jun 15, 2022 at 04:23:30PM -0400, Rob Crittenden via FreeIPA-users wrote:
> Charles Hedrick via FreeIPA-users wrote:
> > the error is
> >
> > The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC
>
> A PKINIT certificate needs an EKU extension,
>
https://datatracker.ietf.org/doc/html/rfc4556
>
> When generating the key with OpenSSL you need to include "-extensions
> kdc_cert"
>
It's unlikely that publicly trusted CAs will issue certs with
id-pkinit-KPKdc in EKU. CABForum Baseline Requirements[1]
7.1.2.3(f) says:
Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth
[RFC5280] or both values MUST be present. id-kp-emailProtection
[RFC5280] MAY be present. Other values SHOULD NOT be present.
[1]:
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf
Charles, you might need to use a certificate issued directly by the
IPA CA for your KDC, or else do without PKINIT.
Thanks,
Fraser
>
> >
> >
> > ------------------------------------------------------------------------
> > *From:* Charles Hedrick via FreeIPA-users
> > <freeipa-users@lists.fedorahosted.org>
> > *Sent:* Wednesday, June 15, 2022 3:39 PM
> > *To:* freeipa-users@lists.fedorahosted.org
> > <freeipa-users@lists.fedorahosted.org>
> > *Cc:* Charles Hedrick <hedrick@rutgers.edu>
> > *Subject:* [Freeipa-users] ipa-server-certinstall -k
> >
> > ipa-server-certinstall works fine for http and ldap. But I can't get the
> > -k option to work.
> >
> > I've tried cert.pem and privkey.pem with and without chain.pem, as well
> > as fullchain.pem and privkey.pem (fullchain has both the cert and the
> > chain).
> >
> > The certs were issued by Internet2, which chains up to addtrust.
> >
> > kinit -n works fine if I install the pem files manually, so presumably
> > my files are valid.
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure