Advice on cross-realm PKINIT?

Nordgren, Bryce L -FS bnordgren at
Mon Jun 9 15:28:45 EDT 2014

I have a little test setup where I am trying to get my KDC to issue credentials for principals "non-local" realms using PKINIT. I ran through the docs  here: .

My local realm is EXAMPLE.COM and the foreign realm is EXTERNAL.ORG.

Success is defined as getting a TGT.

Using a certificate for a concrete principal in EXAMPLE.COM: Success
Using a certificate for a non-existant principal in EXTERNAL.ORG: ("Client not found in Kerberos database while getting initial credentials.")
Using a certificate for a concrete principal in EXTERNAL.ORG (e.g., I made a principal test at EXTERNAL.ORG<mailto:test at EXTERNAL.ORG> locally): ("Realm not local to KDC while getting initial credentials.")

How do I set up PKINIT so that the principal: 1] does not have to exist in the local database; and 2] can be from a non-local realm?

Thanks much,

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

More information about the Kerberos mailing list