[SmartcardServices-Users] [External] Re: OS X 10.9 Smart Card Logon But No PKINIT

Brown, Alexander [USA] Brown_Alexander2 at bah.com
Thu May 22 07:59:30 PDT 2014 

I exported the public certificate to a file and then ran "sudo security verify-cert -p pkinitClient -c <certificate-file>" (replacing <certificate-file> with the actual file name) and the message I received was "certificate verification successful".


Alex

-----Original Message-----
From: Henry B Hotz [mailto:hbhotz at oxy.edu] 
Sent: Tuesday, May 20, 2014 5:02 PM
To: Yoann Gini
Cc: Brown, Alexander [USA]; smartcardservices-users at lists.macosforge.org
Subject: [External] Re: [SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT

Just for completeness we should mention the command "security verify-cert -p pkinitClient". I don't think it calls any Heimdal Kerberos code, but it should tell you something about what the Apple PKI code thinks.

On May 20, 2014, at 12:11 AM, Yoann Gini <yoann.gini at gmail.com> wrote:

> Le 19 mai 2014 à 22:31, Henry B Hotz <hbhotz at oxy.edu> a écrit :
> 
>> On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
>> 
>>>> I got the error "kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found". The smart card I am using for this is the DoD CAC.
>>> 
>>> I've got this problem too. I've found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don't take it as valid.
>> 
>> Alexander's cert ought to be OK since it's at least recognized, but I've seen a similar apparent mis-match in processing the KDC reply from a Heimdal KDC. I suspect the problem is a mis-match between Apple's PKI framework and Heimdal.
> 
> Yes, this can also be an explanation for what I've seen.
> 
> When I've said « it don't take it as valid », I was talking about the whole checkup process. Certificate validity and authorized usage.
> 
> Of course I've try different KU and EKU without any success.

At least for Heimdal, I think KU of digitalSignature is all that's required. I wonder if it's worth trying Heimdal on a Linux system for comparison? (I suggest Debian with the OpenSC card drivers if someone wants to try.) If nothing else the error messages might be clearer, and you could write a better bug report for Apple.

Personal email.  hbhotz at oxy.edu

More information about the SmartcardServices-Users mailing list