MacOS + Kerberos PKINIT: What is the option to find certificates?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Jul 29 12:33:25 EDT 2025
>Does anyone know the options for MacOS's customized kinit to find
>certificates? Unsure if MacOS PKINIT support is functional.
I'll be honest ... we support PKINIT on macOS X, but only by providing
our own custom build of MIT Kerberos (we have some relatively minor
changes to MIT Kerberos; I believe all of our PKINIT-related changes
have been pushed upstream to MIT). The native MacOS X Kerberos
implementation is based on Heimdal and PKINIT is persnickety enough that
we didn't even consider using it.
I am unclear how the Heimdal Kerberos implementation looks for the
client certificate and key, but that seems to be where things are
going wrong based on the error messages you posted. The source
code to most of the Heimdal Kerberos implementation is available on
opensource.apple.com so you might have to dig around there to see what
it is expecting.
--Ken
More information about the Kerberos
mailing list