MIT relies on personal certificates for user authentication. Personally I regard this method as superior to traditional password authentication, but sometimes I need to log in on a new machine and it is a hassle to install the certificate on every machine that I may use. Fortunately, I have a Yubikey on my keyring, so I spent time figuring out how to install a certificate on it and use that to log in MIT websites on macOS.
Head over to the IST website and generate a certificate. Then import it into Mac’s Keychain. You now should have the certificate and the corresponding private key listed in the Keychain Access app, like this:
Then, select the entry and hit ⇧⌘E (Shift-Command-E) to export the item. Choose “Personal Info Exchange (.p12)” format. Keychain will then ask for a passphrase to protect the file, which will be used to encrypt the exported private key. This passphrase will be needed when importing the private key into Yubikey.
Use homebrew to install the Yubico PIV Tools by executing
brew install yubico-piv-tool. Then plug in your Yubikey. Now import the
certificate and the private key
yubico-piv-tool -s 9a -i Certificates.p12 -a import-key -a import-cert -K PKCS12 yubico-piv-tool -a set-ccc yubico-piv-tool -a set-chuid
The certificate has now been used in slot
9a on your Yubikey, which is used
for PIV authentication.
To make the key recognizable by the Mac, install OpenSC from Homebrew Cask. Note that the one from non-Cask Homebrew repository will not work.
brew cask install opensc
There are some references1234 on the internet saying that Apple adds native support for PIV smartcards in High Sierra, and OpenSC is not needed anymore. However, I’ve yet got the time to test that, and will stay with OpenSC for now.