[Muscle] FC6 and pkcs11_inspect

Todd Denniston Todd.Denniston at ssa.crane.navy.mil
Tue Nov 28 14:14:34 PST 2006 

Greg wrote:
>> IIRC from another mailing list I am on, the Fedora version may use 
>> `certutil` instead of pam_pkcs11's `make_hash_link.sh` to create links to 
>> each of the CAs, and I am not sure if they keep them (the CAs) in the same 
>> place as the normal pam_pkcs11.
> 
> I'll try to find certutil when I get home. Given that I need my CAC
> for work, I can only debug my home computer at night. :(
> 
>> running `pkcs11_inspect debug` and making note of:
>> A) did it ask for a PIN/Password.
>> B) if it did (A), did it then spit out  'X.509 certificate found' and a 
>> little later 'certificate is valid'?
> 
> A) Yes
> B) No
> 
> Let me find the cut and paste version of the info it printed.
> 
> tantalus 2% pkcs11_inspect 
<SNIP>
> PIN for token: 
> DEBUG:pkcs11_inspect.c:101: PIN = [XXXXXXX]
> DEBUG:pkcs11.c:399: cert 0: found (HENNESSY.GREGORY.S.XXXXXXXXXX:CAC ID Certificate), "CN=HENNESSY.GREGORY.S.XXXXXXXXXX,OU=XXX,OU=PKI,OU=DoD,O=U.S. Government,C=US"
> DEBUG:pkcs11.c:399: cert 1: found (HENNESSY.GREGORY.S.XXXXXXXXXX:CAC Email Signature Certificate), "CN=HENNESSY.GREGORY.S.XXXXXXXXXX,OU=XXX,OU=PKI,OU=DoD,O=U.S.
> Government,C=US"
>
<SNIP>
> DEBUG:pkcs11_inspect.c:139: verifing the certificate for the key #1
> DEBUG:cert_vfy.c:37: Verifying Cert: HENNESSY.GREGORY.S.XXXXXXXXXX:CAC ID Certificate (CN=HENNESSY.GREGORY.S.XXXXXXXXXX,OU=XXX,OU=PKI,OU=DoD,O=U.S. Government,C=US)
> DEBUG:cert_vfy.c:41: Couldn't verify Cert: Peer's Certificate issuer is not recognized.
> DEBUG:pkcs11_inspect.c:152: verify_certificate() failed: 
> DEBUG:pkcs11_inspect.c:139: verifing the certificate for the key #2
> DEBUG:cert_vfy.c:37: Verifying Cert: HENNESSY.GREGORY.S.1228899166:CAC Email Signature Certificate (CN=HENNESSY.GREGORY.S.1228899166,OU=USN,OU=PKI,OU=DoD,O=U.S.
> Government,C=US)
> DEBUG:cert_vfy.c:41: Couldn't verify Cert: Peer's Certificate issuer is not recognized.
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<SNIP>
As I expected.
You need to get pam_pkcs11 to recognize your (The DoD) CAs, i.e., `certutil` 
or `make_hash_link.sh` (as supplied for FC6) on the appropriate CA files.


-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

More information about the Muscle mailing list