[39533] in Kerberos
MacOS + Kerberos PKINIT: What is the option to find certificates?
daemon@ATHENA.MIT.EDU (Nick)
Tue Jul 29 00:15:20 2025
MIME-Version: 1.0
From: Nick <atod101101@gmail.com>
Date: Tue, 29 Jul 2025 00:13:56 -0400
Message-ID: <CAG9BPSU_HA-j9ZM425w6iRzkNjPo6p6zaQfgz-97GGrESfgHVQ@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Does anyone know the options for MacOS's customized kinit to find
certificates? Unsure if MacOS PKINIT support is functional.
I have PKINIT working in a Unix environment, however testing on MacOS
I'm finding problems locating the certs when invoking pkinit. I tried
adding a .p12 to a custom keychain for the user's account, but pkinit
fails because its' unable to find a matching cert. I know the OID is
correct for kinit in Unix because I've tested it after following the
PKINIT instructions on the MIT website.
Here are some log messages from MacOS:
env KRB5_TRACE=/dev/stdout kinit --kdc-hostname=XXX -C XX@REALM.ORG XX@REALM.ORG
set-error: 569873: Failed finding certificate with PKINIT EKU OID:
Certificate not found
Failed finding certificate with PKINIT EKU OID: Certificate not found: 569873
set-error: 569873: Failed finding certificate with MS EKU OID:
Certificate not found
Failed finding certificate with MS EKU OID: Certificate not found: 569873
set-error: 569873: Failed finding certificate with any (or no) OID:
Certificate not found
Failed finding certificate with any (or no) OID: Certificate not found: 569873
Adding PA mech: PKINIT(IETF)
set-error: -1765328359: Error from KDC: NEEDED_PREAUTH
krb5_get_init_creds: KRB-ERROR -1765328359/Error from KDC: NEEDED_PREAUTH
set-error: -1980176575: PKINIT: No user certificate given
PA type PKINIT(IETF) returned -1980176575: PKINIT: No user certificate given
In Unix, I pass the certs as follows and this works:
kinit -X509_user_identity="FILE:/client.pem,FILE:/clientkey.epm" -p XX
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
