[SmartcardServices-Users] PKINIT against Active Directory KDC
Eino Tuominen
eino at utu.fi
Thu Jan 11 00:24:44 PST 2018
Hi all,
I've been trying to get PK-INIT working with macOS High Sierra (10.13.2), Active Directory and Yubikeys. Currently I'm stuck at how I can get kinit to find correct certificates from keychain. I've managed to get things working with certificate and private key in a PEM-file. (kinit --pk-enterprise --windows -C FILE:/tmp/test.pem) But, if I store the certificate and key in Keychain and try the same command with kinit --pk-enterprise --windows -C KEYCHAIN: I get an error:
kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found
The certificate looks like this:
$ /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/hxtool print FILE:/tmp/test.pem
cert: 0
friendly name: CN=Example Account,OU=People,DC=utu,DC=fi
private key: yes
issuer: "CN=University of Turku Issuing CA Class 1,DC=utu,DC=fi"
subject: "CN=Example Account,OU=People,DC=utu,DC=fi"
serial: 5500008FD546F070AD0E2F882C000000008FD5
keyusage: keyEncipherment, digitalSignature
persistent: 5BDC16DB57748F5B0164151D8BE4E367C459462A
$ /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/hxtool validate FILE:/tmp/ollopi.pem
checking extention: extKeyUsage
checking extention: keyUsage
checking extention: subjectKeyIdentifier
checking extention: authorityKeyIdentifier
checking extention: cRLDistributionPoints
checking extention: authorityInfoAccess
Critical not set on MUST
1.3.6.1.5.5.7.48.21.3.6.1.5.5.7.48.2checking extention: subjectAltName
The only difference when I use "hxtool print KEYCHAIN:" I see is "private key: no", although the private key is shown with the certificate in Keychain Access.
I'd appreciate if someone could offer any clue on how to fix this or debug it further. Oh, and if someone could point me to more detailed documentation or how-to-articles on SmartCardServices, AttributeMapping and UserSelector I'd be very thankful. Man pages are rather vague on this.
--
Eino Tuominen
More information about the SmartcardServices-Users
mailing list