By default, we have the following items as keychains under MacOS's Keychain Access tool.
- login
- Local Items
- System
- System Roots
And it seems that out of the box, the Mac has problem dealing with smart card... so I had to install a 3rd party tool, Centify, in order to propagate the certificates from a smart card into Apple's KeyChain. However, this 3rd party tool seems to create a brand new keychain on its own for the inserted smart card. The keychain seems to have the following naming format:
- PIV-< Name of the cert >
I had been using Java's KeyStore to access the Apple Keychain, but I am unable to access any certificates nor keychain installed by the Centify tool.
Currently I'm accessing the Apple Keychain like this:
KeyStore ks = KeyStore.getInstance("KeychainStore", "Apple");
ks.load(null, null);
And I am able to load and access the certificates that are under login keychain but not the ones imported by Centrify.
Does anyone know the proper way to access other keychains?
This is Albert from Centrify. The PIV-<> keychain is a PIN-protected keychain which secures the use of smartcard credential. Because of this, the keystore is not able to retrieve it unless it is unlocked. It will be similar to get certificates from system keychain as it is allowed only for users with admin privilege.
You can go to the idea exchange to raise the idea so we will understand the need for this kind of use case: http://community.centrify.com/t5/Centrify-Idea-Exchange/idb-p/Centrify-Idea-Exchange
Also, you may want to take a look at derived credential feature in Centrify SaaS product which should be doing the same you wished: https://docs.centrify.com/en/centrify/adminref/index.html?version=1495753737#page/cloudhelp%2FderivedCreds.html
Best Regards,
Albert