Mac os x keychain smart card

Description: A certificate evaluation issue existed in the handling of name constraints.

MacOS X smartcard based login with SmartCard-HSM fails · Issue # · OpenSC/OpenSC · GitHub

This issue was addressed through improved trust evaluation of certificates. I can confirm that with the system update ctkahd doesn't crash anymore when parsing the certificate obtained from OpenSCToken. Unfortunately, the certificate still doesn't show up in the system, it is just ignored. Skip to content.


  • System configuration.
  • virtual mac os on windows 7.
  • Next Steps.
  • dell laser printer 3000cn mac.
  • cd label print update mac.
  • A Contemporary Overview of Smart Card Support on macOS - Lei's Blog.

Dismiss Join GitHub today GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together. Sign up. New issue. Copy link Quote reply. However the following issues can be observed in OpenSC debug log I am unsure of their relevance: 0x7fffec0 SS] signal received: 20 SS] signal handled 20 The first part describes how to install a certificate on Yubikey, and the second part discusses about the support of Smart Card on latest macOS releases.

The first part describes how to install import a certificate on Yubikey, taking the MIT certificate as an example. Head over to the IST website and generate a certificate.

A Contemporary Overview of Smart Card Support on macOS

You now should have the certificate and the corresponding private key listed in the Keychain Access app, like this:. Keychain will then ask for a passphrase to protect the file, which will be used to encrypt the exported private key.

Smart-card user experience on OS X

This passphrase will be needed only once, when importing the private key into Yubikey. Then plug in your Yubikey and import the certificate and the private key. The first command moves the certificate and the private key to slot 9a on the Yubikey. Slot 9a is for authenticating the user.

Configure macOS for smart card-only authentication

Before Sierra Actually this statement is not totally true - up until Lion This command lists all the certificates present on the smart card and how their attributes match against Active Directory. Ignore any certificate that displays This certificate cannot be used for pkinit , as such certificates are not applicable for system logins. If the message Cannot locate NT principal name in AD is displayed for a certificate that can be used for pkinit, make sure the user has been configured correctly in Active Directory Users and Computers.


  1. pro tools 8.0 free download mac.
  2. remove space between paragraphs word mac.
  3. linksys cisco wireless router setup mac.
  4. If the UPN on the smart card is something other than mil , make sure that the adclient. For example, if the UPN on the smart card is mysmartcard. In the list of users, right-click the user who is attempting to log in, and select Properties.

    Select the Account tab in the Properties dialog and verify that the name in the User logon name field matches the NT Principal Name on the smart card. If the preceding steps have been verified and smart card logins still fail, there might be a compatibility issue between the smart card and the Mac OS itself. If necessary, contact Centrify Support and provide the information described in Collecting information specific to smart card log in failure.

    Hidden Features in the New macOS Mojave!