Download KCA Utilities and get-cert script for Macintosh


                Note: kxlist no longer used

These packages provide v2.1 of kx509 which eliminates the use
of kxlist (actuallly kxlist -p) to write the KCA certiticate into
a file in /tmp/.  If you have your own scripts call kx509 and kxlist,
just remove the kxlist line.    Version v2.1 also introduces
new kx509 options:

    -o file    set certificate output file
    -q          quiet operation


                Usage note:

In order to use the get-cert.sh script (and the symbolilc links
getcert and get-cert), edit your  .bash_profile to add the
/usr/bin/get-cert directory to your PATH.

The get-cert script can be invoked with the options:

    -h    Show this help message
    -i     Try to auto-import into Mozilla/Seamonkey and FireFox
    -q    Suppress most informational output
    -d    Debug mode (additional output)
    -t    Get certificate from the KCAtest server
    -k    Store KCA certificate into Macintosh Keychain

Calling get-cert without any options will get a KCA certificate and
also convert it to PKCS#12 format.


These tarballs will unpack into a /usr//bin/get-cert directory tree
provide you do so from an account with root accees (like your
-admin account or use sudo from the command line and have setup
sudo to allow root acceess).

Executables linked for Mac OS X 10.6 (Snow Leopard) and earlier

Because OS X 10.7 changed to using Heimdal Kerberos (prevriously
the MIT Kerberos implementation was used), new executables had to
be made.  Due to an issue in the way Heimdal handles the credentials
cache, the kx509 utility had to be modified (this change eliminated the
need to use kxlist).  This change is planned to be back-ported to
OS X 10.6 and the Linux versions as well.  In addition, there is currently
a bug iin Heimdal Kerberos so KCA certificates which are issued are valid
only for the lifetime of the Kerberos credentials (usually about 26 hours)
rathen than for the full renewable lifetime of 1 week, so the current
version of  these utilities gets a certificate that is only valid for about 1 day
and so you must get a new KCA certificate each day.  This package includes
v3.7X of the get-cert script which works around this issue with a temporary
fix which might require a user to enter their Kerberos password more than
once.  We hope to fix this issue in the kx509 executable and restore the previous
get-cert script in the future.

Executables linked for Mac OS X 10.7 (Lion)