[39534] in Kerberos
Re: MacOS + Kerberos PKINIT: What is the option to find certificates?
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Tue Jul 29 12:34:39 2025
Message-Id: <202507291633.56TGXOxI004490@hedwig.cmf.nrl.navy.mil>
To: Nick <atod101101@gmail.com>
cc: kerberos@mit.edu
In-Reply-To: <CAG9BPSU_HA-j9ZM425w6iRzkNjPo6p6zaQfgz-97GGrESfgHVQ@mail.gmail.com>
MIME-Version: 1.0
Date: Tue, 29 Jul 2025 12:33:25 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Does anyone know the options for MacOS's customized kinit to find
>certificates? Unsure if MacOS PKINIT support is functional.
I'll be honest ... we support PKINIT on macOS X, but only by providing
our own custom build of MIT Kerberos (we have some relatively minor
changes to MIT Kerberos; I believe all of our PKINIT-related changes
have been pushed upstream to MIT). The native MacOS X Kerberos
implementation is based on Heimdal and PKINIT is persnickety enough that
we didn't even consider using it.
I am unclear how the Heimdal Kerberos implementation looks for the
client certificate and key, but that seems to be where things are
going wrong based on the error messages you posted. The source
code to most of the Heimdal Kerberos implementation is available on
opensource.apple.com so you might have to dig around there to see what
it is expecting.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
