Does anybody know the choices for MacOS’s personalized kinit to seek out certificates?
I’ve PKINIT working in a Unix setting, nevertheless testing on MacOS I am discovering issues finding the certs when invoking pkinit. I attempted including a .p12 to a customized keychain for the customers account, however pkinit fails unable to discover a matching cert. I do know the OID is right for kinit in Unix as a result of I’ve examined it after following the PKINIT directions on the MIT web site.
Listed below are some log messages from MacOS:
env KRB5_TRACE=/dev/stdout kinit --kdc-hostname=XXX -C [email protected] [email protected]
set-error: 569873: Failed discovering certificates with PKINIT EKU OID: Certificates not discovered
Failed discovering certificates with PKINIT EKU OID: Certificates not discovered: 569873
set-error: 569873: Failed discovering certificates with MS EKU OID: Certificates not discovered
Failed discovering certificates with MS EKU OID: Certificates not discovered: 569873
set-error: 569873: Failed discovering certificates with any (or no) OID: Certificates not discovered
Failed discovering certificates with any (or no) OID: Certificates not discovered: 569873
Including PA mech: PKINIT(IETF)
set-error: -1765328359: Error from KDC: NEEDED_PREAUTH
krb5_get_init_creds: KRB-ERROR -1765328359/Error from KDC: NEEDED_PREAUTH
set-error: -1980176575: PKINIT: No consumer certificates given
PA sort PKINIT(IETF) returned -1980176575: PKINIT: No consumer certificates given
In Unix, I cross the certs as follows:
kinit -X509_user_identity="FILE:/consumer.pem,FILE:/clientkey.epm" -p XX
