From Newsgroup: comp.protocols.kerberos

Does anyone know the options for MacOS's customized kinit to find
certificates? Unsure if MacOS PKINIT support is functional.

I have PKINIT working in a Unix environment, however testing on MacOS
I'm finding problems locating the certs when invoking pkinit. I tried
adding a .p12 to a custom keychain for the user's account, but pkinit
fails because its' unable to find a matching cert. I know the OID is
correct for kinit in Unix because I've tested it after following the
PKINIT instructions on the MIT website.

Here are some log messages from MacOS:

env KRB5_TRACE=/dev/stdout kinit --kdc-hostname=XXX -C XX@REALM.ORG XX@REALM.ORG

set-error: 569873: Failed finding certificate with PKINIT EKU OID:
Certificate not found
Failed finding certificate with PKINIT EKU OID: Certificate not found: 569873
set-error: 569873: Failed finding certificate with MS EKU OID:
Certificate not found
Failed finding certificate with MS EKU OID: Certificate not found: 569873
set-error: 569873: Failed finding certificate with any (or no) OID: Certificate not found
Failed finding certificate with any (or no) OID: Certificate not found: 569873 Adding PA mech: PKINIT(IETF)
set-error: -1765328359: Error from KDC: NEEDED_PREAUTH
krb5_get_init_creds: KRB-ERROR -1765328359/Error from KDC: NEEDED_PREAUTH set-error: -1980176575: PKINIT: No user certificate given
PA type PKINIT(IETF) returned -1980176575: PKINIT: No user certificate given


In Unix, I pass the certs as follows and this works:
kinit -X509_user_identity="FILE:/client.pem,FILE:/clientkey.epm" -p XX
--- Synchronet 3.21a-Linux NewsLink 1.2