Military Cac For Mac No Client Certificate Presented
This is a quick guide to getting Apache CAC (or other x509) client certificate enabled -and is directed at Mac, although most of this is probably most flavors of Linux.Much of this is all attributed to the following references, and for the most part acts as a fill-in the gapsfor me.
First get SSL running. A self-signed cert will suffice.
- When connecting to various online services, your Mac will use certificates to validate a connection. If a certificate being used for a connection is expired or invalid, then OS X will notify you of this when attempting to use it, and offer you the choice of continuing with the connection, inspecting the certificate, or canceling the connection.
- List of Acceptable Identity Documents for DoD ID Card Issuance (PDF) December 2018 - USD(P&R) and DoD CIO Memo, 'Modernizing the Common Access Card - Streamlining and Improving Operational Interoperability' on reducing and realigning CAC certificates; Important Information for Beneficiaries Entitled to TRICARE and Eligible for Medicaid and Medicare.
- Installing DOD Certificates. When SecureAuth prompts for a CAC or PIV certificate your webserver is actually matching the client side SSL certificates with the certificates that are installed on your SecureAuth appliance. In order to check these client side certificates we need to install the root and intermediate certificates on the appliance.
- In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the new template that you have just created, Mac Client Certificate, and then click OK.
On the new ActivClient window, double click the ‘My Certificates’ icon in the right pane. All the certificates on your CAC should now be listed. The PIV certificate is titled “Authentication” and if selected, it will show a 16-digit number after the user’s name instead of the usual 10-digit DoD ID number on the other certificates.
Set up SSL https://gist.github.com/jonathantneal/774e4b0b3d4d739cbc53
- out of the box, appears to only not complain in Safari [good enough for the moment]
- Grab the bundled certificates
- From the README,
openssl pkcs7 -in Certificates_PKCS7_v5.0u1_DoD.pem.p7b -print_certs -out DoD_CAs.pem
The generated DoD_CAs.pem
will be your CA file referenced from Apache.
- There are a bunch of other interesting tools:http://iase.disa.mil/pki-pke/Pages/tools.aspx
Hp pavilion g4 wifi driver. In a perfect world, you will need to set-up and maintain an revocation list (not yet done). The above referenced CAC HowToshave more details regarding that. The DoD maintained revocation list, however, is https://crl.gds.disa.mil/
This will open up a non-secured port 80 host. Its probably best to direct this somewhere thatyou are not trying to have authenticated login, as it stands, it is wide open.
This SSL section is where all the magic happens for the CAC Auth
Here are the steps on how to install a CAC Reader for Mac:- Ensure your CAC reader works with Mac
- Check to ensure your Mac accepts the reader
- Check your Mac OS version
- Check your CAC’s version
- Update your DOD certificates
- Guidance for Firefox Users
- Look at graphs to see which CAC enabler to use
Step 1: Purchase a Mac Friendly CAC Reader
Purchase a CAC reader that works for your Mac. There are only a couple that you can choose from and I’ve listed them below.
If you already have a CAC reader and it isn’t Mac friendly, you could update the firmware, however, for the non-tech savvy people out there, it’s probably better to just purchase a new one and save the headache – they’re only ~$11-13 dollars.
Best Mac Compatible CAC USB Readers
Best Mac Compatible CAC Desk Readers
Step 2: Plug in and Ensure It’s Accepted
Once you have your CAC reader, plug it into your Mac and ensure your computer recognizes it. If you have one of the CAC readers we suggested above, then you should be good to go.
If for some reason your CAC reader isn’t working, you may need to download the appropriate drivers for your CAC reader. You can find these drivers on the Reader’s Manufacturer Website.
Step 3: Update Your DOD Certificates
Now that you have your CAC reader connected and accepted on your Mac computer, it’s time to ensure you have the right certificates in order to access DOD CAC required web pages.
Procedure for Chrome and Safari
- Type ⇧⌘U (Shift + Command + U) to access your Utilities
- Find and Double click “Keychain Access”
- Select “Login” and “All Items”
- Download the following five files and double click each once downloaded so as to install in your Keychain Access.
- When you double-click the Mac Root Cert 3 and 4, you’ll need to tell your browser to always trust them. Click the button like you see below:
Additional Steps for Firefox
If you’re using Mozilla Firefox as your primary browser, you’re going to need to perform some additional steps. First, perform the same steps that you did for Chrome and Safari. Afterwards, follow these additional steps to get started.
*If you’re having issues downloading the zip file below, try right clicking the link and opening the file in a new tab.
- Download All Certs zip and double click to unzip all 39 files
- While in Firefox, click “Firefox” on the top left, then “Preferences”
- Then Click “Advanced” > “Certificates” > “View Certificates”
- Then Click “Authorities” and then “Import”
- Import each file individually from the “AllCerts” folder. When you do this, the below box will popup. Check all three boxes and click “OK”
Step 4: Download and install CAC Enabler
Choosing the right CAC enabler can be pretty tricky. It all depends on what OS you have installed, how you installed it, and even what kind of CAC Card you have!
Cac Card No Client Certificate Present
In order to get the right enabler, be sure to visit our trusty guide to Mac CAC Enablers! It’ll walk you through exactly which enabler is right for you.
CAC Access at Home Success
Now that you have a CAC reader, certificates, and a CAC Enabler, you should now be able to access any CAC-enabled website and log on using your CAC password and data.
Common Reasons Why Your CAC Card Won’t Work On Your Mac
Military Cac Certificates Mac
Ensure Your CAC Card Meets the Standards: In order for your CAC card to work, it must meet the minimal requirements. Currently, there are only four types of CAC cards that can be used. The ensure you have the right CAC card for online access, flip your CAC card to the back and if you have one of the below numbers written on the top left, then you are good to go:
Cac Certificates For Mac
- G&D FIPS 201 SCE 3.2
- Oberthur ID one 128 v5.5 Dual
- GEMALTO DLGX4-A 144
- GEMALTO TOP DL GX4 144
If you do not have any of the above written on the back, then proceed to your nearest PSD to get a new CAC card issued.