Military Cac For Mac No Client Certificate Presented

20.12.2020
29 Comments

This is a quick guide to getting Apache CAC (or other x509) client certificate enabled -and is directed at Mac, although most of this is probably most flavors of Linux.Much of this is all attributed to the following references, and for the most part acts as a fill-in the gapsfor me.

The third certificate is your PIV Identity certificate. This PIV Identity certificate is a different certificate than the DoD Identity certificate you normally see when using ActivClient middleware. This should not impact your Home Use operations. If your CAC is not PIV-II-compliant, no certificates will be listed in the Personal Tab. After the third consecutive attempt, your CAC is 'locked', meaning you will not have access to the PKI certificates. DoD CAC Smart Cards in a Linux based operating system can be used with the use of a freely available library called “coolkey”. On an Ubuntu operating system the packages added were: libusb-0.1-4, libpcsclite1, libpcsclite-dev, pcscd, and pcsc-tools (the actual command was “sudo apt-get install libusb-0.1-4 libpcsclite1 libpcsclite-dev. Password or Client certificate: The user can log in using either the username/password or using a valid client certificate. If a valid client certificate is in place, the username and password is not required. The client is asked for a certificate. If a client certificate is supplied, the LoadMaster will check for a match. Now on development server i am using self signed certificate for SSL and for client certificate i am using CAC cert, as i don't have any other client cert for testing. It shows me message that 403 - Forbidden: Access is denied. Do you know any way to work around on this on development machine, i am sure it will work on production. In order for your machine to recognize your CAC certificates and DoD websites as trusted, run the InstallRoot utility (32-bit, 64-bit or Non Administrator) to install the DoD CA certificates on Microsoft operating systems. If you’re running an alternate operating system such as Mac OS or Linux, you can import certificates from the PKCS 7 bundle.

HowTo Apache CAC Authentication. This is a quick guide to getting Apache CAC (or other x509) client certificate enabled - and is directed at Mac, although most of this is probably most flavors of Linux. Much of this is all attributed to the following references, and for the most part acts as a fill-in the gaps for me. CAC Auth Howtos.

First get SSL running. A self-signed cert will suffice.

Set up SSL https://gist.github.com/jonathantneal/774e4b0b3d4d739cbc53

  • out of the box, appears to only not complain in Safari [good enough for the moment]
  • Grab the bundled certificates
  • From the README, openssl pkcs7 -in Certificates_PKCS7_v5.0u1_DoD.pem.p7b -print_certs -out DoD_CAs.pem

The generated DoD_CAs.pem will be your CA file referenced from Apache.

  • There are a bunch of other interesting tools:http://iase.disa.mil/pki-pke/Pages/tools.aspx

In a perfect world, you will need to set-up and maintain an revocation list (not yet done). The above referenced CAC HowToshave more details regarding that. The DoD maintained revocation list, however, is https://crl.gds.disa.mil/

This will open up a non-secured port 80 host. Adobe photoshop 3.0 download. Its probably best to direct this somewhere thatyou are not trying to have authenticated login, as it stands, it is wide open.

This SSL section is where all the magic happens for the CAC Auth

Introduction

Cac Certificates For Mac

The steps for configuring Client side SSL (CSSL) for a SecureAuth appliance setup to validate CAC or PIV Cards

  • Download root/intermediate DOD certificates.
  • Install certificates as administrator.
  • Verify installation of certificates into local computers cert store (not users)

Installing DOD Certificates

When SecureAuth prompts for a CAC or PIV certificate your webserver is actually matching the client side SSL certificates with the certificates that are installed on your SecureAuth appliance. In order to check these client side certificates we need to install the root and intermediate certificates on the appliance. If you have a specific set of root and intermediate certificates you can install them, if you do not this is the process to install the DOD root and intermediate certificates on the SecureAuth appliance.

1. Open the browser on the server and navigate tomilitarycac.com's download section HERE

2. Download'InstallRoot 3.13.1a from MilitaryCAC'


3. You might be prompted to add militarycac.com to your trusted sites to complete the download

4. Click 'Open' so that the file automatically launches


5. Right-click 'InstallRoot_v3.13.1A' and select 'Run as administrator'

6. At the security warning click 'Yes'

7. Accept the security warning if prompted /origin-pro-8-serial-key.html.

Verify the DOD Certificates were properly installed

1. Click the start menu/SecureAuth/Tools and select 'Certificates Console'

Military Cac For Mac No Client Certificate Presented As A

2. Navigate to 'Trusted Root Certification Authorities' and ensure you have the DOD Root CA certificate installed

No Client Certificate Presented Military Cac

3. Navigate to 'Intermediate Certificate Authorities' and ensure the intermediate certs are there