We use our organization's provided SSO certificate for SSL client authentication from our Java based desktop clients (Mac and Windows).
It seems in Mac, the certificate is marked with non-exportable private key and Java tries to export the key inside JVM for SSL client authentication.
Hence our certificate authentication is not working.
Is this a limitation in macOS where SSL client authentication does not work with the non exportable certificate or are there any workarounds for this?
Best Answer
One of the bases behind the security of a certificate (and all asymmetric cryptography) is that the private key be kept private.
Being able to export a private key is a misuse of security; it broadens the leak surface of that private key. (ideally it was generated in a TPM, and export is not possible).
Exporting a private key is saying you want another entity to be able to impersonate you, or...
Ok, maybe the other entity didn't have the means to generate the keypair and you did that for them. But the privacy of that other entity is arguably compromised, as there is no proof that you didn't keep or share the key.