Where does kubectl get its client certificate from when using https?

Cluster information:

Kubernetes version: 1.15.11
Cloud being used: (put bare-metal if not on a public cloud) : Bare metal
Installation method: Salt
Host OS: centos 7
CNI and version:
CRI and version:

We use token authentication in our cluster. We have 1 user who cannot seem to get his kubectl (v1.15.11) to work. I had him set his configuration to insecure-tls-verify: true. He still gets ‘Unable to connect to the server: Forbidden’. His token works from my box so I’m thinking maybe its the client cert being used for SSL. Does kubectl just generate its own client cert or does it look for a host cert on the box it’s running on?