# # verify PKINIT policy # The certs noCA.cer and noBC.cer must be in your trusted KDC keychain or otherwise # be trusted somehow. You can add them using the pkinitTool (tech/dmitch/Misc/pkinitTool/) # like so: # # % pkinitTool t noCA.cer # ...KDC cert trust assignment successful # % pkinitTool t noBC.cer # ...KDC cert trust assignment successful # globals certNetFetchEnable = false useSystemAnchors = true allowUnverified = true end test = "Client, root cert, expect fail" policy = pkinitClient cert = noCA.cer error = CSSMERR_TP_INVALID_ANCHOR_CERT end test = "Server, CA, expect fail" policy = pkinitServer cert = CA.cer error = CSSMERR_TP_INVALID_ANCHOR_CERT end test = "Server, !CA, success" policy = pkinitServer cert = noCA.cer end test = "Server, !BC, success" policy = pkinitServer cert = noBC.cer end