[SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT

Yoann Gini yoann.gini at gmail.com
Tue May 20 00:11:40 PDT 2014


Le 19 mai 2014 à 22:31, Henry B Hotz <hbhotz at oxy.edu> a écrit :

> On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
>>> I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”. The smart card I am using for this is the DoD CAC.
>> I’ve got this problem too. I’ve found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don’t take it as valid.
> Alexander's cert ought to be OK since it's at least recognized, but I've seen a similar apparent mis-match in processing the KDC reply from a Heimdal KDC. I suspect the problem is a mis-match between Apple's PKI framework and Heimdal.

Yes, this can also be an explanation for what I’ve seen.

When I’ve said « it don’t take it as valid », I was talking about the whole checkup process. Certificate validity and authorized usage.

Of course I’ve try different KU and EKU without any success.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4806 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20140520/d05e6ae2/attachment.p7s>

More information about the SmartcardServices-Users mailing list