DoD CA Certificates on your Mac

CAC access to secure web sites for Mac OS

DoD CA Certificates on your Mac

Postby michaelwolfe » Wed Feb 27, 2013 3:45 pm

With the DoD's recent migration to enterprise email, we have noticed that the certificates stored locally are playing a bigger roll. If these certificates aren't in the proper location, or do not exist, you may not be able to authenticate properly. Below is an example of the DoD certificates my Keychain Access (/Applications/Utilities). In my Login Keychain, I have DoD CA and DoD EMAIL CA certificates that correspond with the certificates on a CAC or PIV card. In my System Keychain I have the DoD Root CA 2 certificate. This is the master CA at the top of the hierarchy of CA's and must only reside in your System Keychain. Any other instances of this certificate may cause an authentication issue. If you do not have the proper certificates for your card or the Root CA 2, attached is a zip file that contains the current DoD CA certificates that you may install into your Login Keychain. If you have any questions, feel free to ask.

DoD Keychain.png
DoD Keychain.png (143.72 KiB) Viewed 18077 times


--Michael
Attachments
Certs.zip
(285.97 KiB) Downloaded 1372 times
Last edited by michaelwolfe on Wed May 08, 2013 8:54 am, edited 2 times in total.
Reason: New information regarding certificates due to dod migration to enterprise servers.
michaelwolfe
 
Posts: 310
Joined: Fri Feb 17, 2012 11:49 am

Re: DoD CA Certificates on your Mac

Postby popegirlie » Fri Feb 21, 2014 2:31 am

I just bought the IOGEAR CAC card reader, I plugged it in and the lights turn on, but I can't go to the sights and log in via CAC. I don't know what I need to install or even how to check/view my certificates. Help me Please!!!
popegirlie
 
Posts: 1
Joined: Fri Feb 21, 2014 2:27 am

Re: DoD CA Certificates on your Mac

Postby michaelwolfe » Fri Feb 21, 2014 11:27 am

PopeGirlie,

Which iOGear reader are you using? The most popular one that we see is the GSR 202 which requires a specific firmware in order to be Mac compatible. To see the card readers firmware version, open the Mac's System information by clicking the Apple in the upper left corner of your screen, press and hold Option, and "About this Mac" should change to "System Information". Under Hardware, click on USB, to the right under USB Device Tree you should see "EMV Smartcard reader", click on this, in the section below the device tree you should see details about the reader. The number that important is the Version number. If the version number is not 1.02, then you will need to use a Windows computer in order to update the reader: http://militarycac.com/iogear.htm.

Which version of the Mac OS are you using? Also, were you able to complete the install of PKard for Mac?

Michael
michaelwolfe
 
Posts: 310
Joined: Fri Feb 17, 2012 11:49 am

Re: DoD CA Certificates on your Mac

Postby se7en » Mon Mar 03, 2014 5:44 pm

I don't get it, my computer will not recognize any certs. I made sure mine look exactly like the pic above (it wasnt and had to change it) and non of the websites can see my certs........
se7en
 
Posts: 1
Joined: Mon Mar 03, 2014 5:42 pm

Re: DoD CA Certificates on your Mac

Postby michaelwolfe » Mon Mar 03, 2014 5:49 pm

se7en,

Do you have PKard for Mac installed, and where you able to complete the Setup Assistant? While in Keychain Access, do you see your name above the Login Keychain? When you attempt to log into a CAC website, are you prompted with a drop down list of certificates, or a PIN number?

The certificates that are displayed in this forum entry are not your CAC certificates, but the certificate authority server certificates. Having this certificates in your local keychain can help validate any certificate that has been signed by the authority.

Michael
michaelwolfe
 
Posts: 310
Joined: Fri Feb 17, 2012 11:49 am

Re: DoD CA Certificates on your Mac

Postby rsteinbacher » Wed Mar 12, 2014 8:16 am

Hello and thank you for your help. I am having issues with the certificates when trying to access the AKO site. PKard is installed and working (bookmarks are available), using the SCR331 reader which is working.

This is the error

https://www.dropbox.com/s/iz7iqfk9mylgh5f/Screen%20Shot%202014-03-12%20at%208.28.55%20AM.png

This is the certificates, some with a red X

https://www.dropbox.com/s/x1uv840j8an8a53/certs.jpg

Please help... Deploying this Saturday
rsteinbacher
 
Posts: 3
Joined: Wed Mar 12, 2014 7:41 am

Re: DoD CA Certificates on your Mac

Postby michaelwolfe » Wed Mar 12, 2014 8:34 am

rsteinbacher,

Please make sure that your CAC card is in the reader prior to open Safari, and that you are logging in through www.us.army.mil.

The items with the red X are Identity Preferences, and the red X means that the certificate associated with that preference is not available. The purpose of the preference is to make authenticating with that website faster as it has saved the desired certificate with the website. If you feel that you may have chosen the wrong certificate, delete the preference, restart Safari, and choose the first DOD CA-XX certificate in the list.

Please let us know if you continue to have trouble.

Michael
michaelwolfe
 
Posts: 310
Joined: Fri Feb 17, 2012 11:49 am

Re: DoD CA Certificates on your Mac

Postby rsteinbacher » Wed Mar 12, 2014 8:47 am

Thank you for your quick reply I'll try your suggestion but I have a question regarding the below. Are you referring to "re-setting safari" or going into the preferences folder and deleting specific files?

delete the preference, restart Safari
rsteinbacher
 
Posts: 3
Joined: Wed Mar 12, 2014 7:41 am

Re: DoD CA Certificates on your Mac

Postby michaelwolfe » Wed Mar 12, 2014 8:54 am

Rsteinbacher,

I was referring to the items with the red X within Keychain Access called Identity Preferences.

Michael
michaelwolfe
 
Posts: 310
Joined: Fri Feb 17, 2012 11:49 am

Re: DoD CA Certificates on your Mac

Postby rsteinbacher » Wed Mar 12, 2014 10:07 am

Problem resolved... Ran a certificate repair and then discovered via PKard Support that when Safari requested the password for the certificate, it is NOT asking for the administrator password, instead it is looking for the PIN associated with the Card. Got right in to the site no problem. :D
rsteinbacher
 
Posts: 3
Joined: Wed Mar 12, 2014 7:41 am

Next

Return to PKard® for Mac v1

Who is online

Users browsing this forum: Google [Bot] and 3 guests