From f3977b6883f0172a2af9006522a1b35546f86749 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 14 Oct 2013 18:14:00 -0400 Subject: Discuss cert expiry, no-key princs in PKINIT docs In pkinit.rst, add "-days" options to the example commands for creating certificate and briefly discuss the issue of expiration dates so that the administrator thinks about it. In troubleshoot.rst, add an entry for the "certificate has expired" error which results from PKINIT (when linked with OpenSSL) when a certificate has expired. ticket: 7719 (new) target_version: 1.12 tags: pullup --- doc/admin/troubleshoot.rst | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'doc/admin/troubleshoot.rst') diff --git a/doc/admin/troubleshoot.rst b/doc/admin/troubleshoot.rst index 5c275d8caf..91afd2b47d 100644 --- a/doc/admin/troubleshoot.rst +++ b/doc/admin/troubleshoot.rst @@ -52,6 +52,26 @@ section of :ref:`krb5.conf(5)`. Seen in: clients +.. error:: + + Cannot create cert chain: certificate has expired + +This error message indicates that PKINIT authentication failed because +the client certificate, KDC certificate, or one of the certificates in +the signing chain above them has expired. + +If the KDC certificate has expired, this message appears in the KDC +log file, and the client will receive a "Preauthentication failed" +error. (Prior to release 1.11, the KDC log file message erroneously +appears as "Out of memory". Prior to release 1.12, the client will +receive a "Generic error".) + +If the client or a signing certificate has expired, this message may +appear in trace_logging_ output from :ref:`kinit(1)` or, starting in +release 1.12, as an error message from kinit or another program which +gets initial tickets. The error message is more likely to appear +properly on the client if the principal entry has no long-term keys. + ---- .. include:: ./install_kdc.rst -- cgit