Hi all, I've been trying to get PK-INIT working with macOS High Sierra (10.13.2), Active Directory and Yubikeys. Currently I'm stuck at how I can get kinit to find correct certificates from keychain. I've managed to get things working with certificate and private key in a PEM-file. (kinit --pk-enterprise --windows -C FILE:/tmp/test.pem) But, if I store the certificate and key in Keychain and try the same command with kinit --pk-enterprise --windows -C KEYCHAIN: I get an error: kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found The certificate looks like this: $ /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/hxtool print FILE:/tmp/test.pem cert: 0 friendly name: CN=Example Account,OU=People,DC=utu,DC=fi private key: yes issuer: "CN=University of Turku Issuing CA Class 1,DC=utu,DC=fi" subject: "CN=Example Account,OU=People,DC=utu,DC=fi" serial: 5500008FD546F070AD0E2F882C000000008FD5 keyusage: keyEncipherment, digitalSignature persistent: 5BDC16DB57748F5B0164151D8BE4E367C459462A $ /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/hxtool validate FILE:/tmp/ollopi.pem checking extention: extKeyUsage checking extention: keyUsage checking extention: subjectKeyIdentifier checking extention: authorityKeyIdentifier checking extention: cRLDistributionPoints checking extention: authorityInfoAccess Critical not set on MUST 1.3.6.1.5.5.7.48.21.3.6.1.5.5.7.48.2checking extention: subjectAltName The only difference when I use "hxtool print KEYCHAIN:" I see is "private key: no", although the private key is shown with the certificate in Keychain Access. I'd appreciate if someone could offer any clue on how to fix this or debug it further. Oh, and if someone could point me to more detailed documentation or how-to-articles on SmartCardServices, AttributeMapping and UserSelector I'd be very thankful. Man pages are rather vague on this. -- Eino Tuominen