MacOS + Kerberos PKINIT: What is the option to find certificates? kinit fails

Does anyone know the options for MacOS's customized kinit to find certificates? I have PKINIT working in a Unix environment, however testing on MacOS I'm finding problems locating the certs when invoking pkinit. I tried adding a .p12 to a custom keychain for the users account, but pkinit fails unable to find a matching cert. I know the OID is correct for kinit in Unix because I've tested it after following the PKINIT instructions on the MIT website. Here are some log messages from MacOS: env KRB5_TRACE=/dev/stdout kinit --kdc-hostname=XXX -C XX@REALM.ORG XX@REALM.ORG set-error: 569873: Failed finding certificate with PKINIT EKU OID: Certificate not found Failed finding certificate with PKINIT EKU OID: Certificate not found: 569873 set-error: 569873: Failed finding certificate with MS EKU OID: Certificate not found Failed finding certificate with MS EKU OID: Certificate not found: 569873 set-error: 569873: Failed finding certificate with any (or no) OID: Certificate not found Failed finding certificate with any (or no) OID: Certificate not found: 569873 Adding PA mech: PKINIT(IETF) set-error: -1765328359: Error from KDC: NEEDED_PREAUTH krb5_get_init_creds: KRB-ERROR -1765328359/Error from KDC: NEEDED_PREAUTH set-error: -1980176575: PKINIT: No user certificate given PA type PKINIT(IETF) returned -1980176575: PKINIT: No user certificate given In Unix, I pass the certs as follows: kinit -X509_user_identity="FILE:/client.pem,FILE:/clientkey.epm" -p XX