Re: Firefox fails to authenticate .mil sites with New DoD CAC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, 2014-12-04 at 11:30 -0500, m.roth@xxxxxxxxx wrote:
> Cal Webster wrote:
> > On Thu, 2014-12-04 at 08:08 -0500, mark wrote:
> >> On 12/03/14 17:34, Cal Webster wrote:
> >> > Can anyone help with getting the new DoD CACs (Smart Card) to work in
> >> > CentOS 6.6? I don't use it for console logins, only for email and .mil
> >> > web sites.
> >> >
> >> > I recently had to get a new DoD CAC (Smart Card) when one of the
> >> > buildings I work in upgraded their security system. My old CAC was
> >> > working fine prior to this for signing and encrypting email and for
> >> > authenticating to various DoD (.mil) sites from the Internet using the
> >> > coolkey libraries.
> >>
> >> Dunno 'bout the new CaC keys, but they "upgraded" our PIV cards to 128?
> >> 256? I forget, earlier this year, and I *think* I remember my manager
> pushing
> >> an enhancement on upstream, and since then we've had no trouble with
> >> coolkey accessing them. The two *should* be identical.
> >
> > Was source for this upstream enhancement released to the community? Not
> 
> Yup. We have a few RHEL licenses, so he could push for the enhancement. It
> was released, and we were using it with CentOS 6.5.

It must have been in the coolkey-1.1.0-32 update.

Build Date: Wed 15 Oct 2014 11:11:10 AM EDT
Install Date: Wed 29 Oct 2014 05:04:04 AM EDT

> > sure what you meant by "The two" - you mean coolkey and cackey?
> 
> Nope. We don't use cackey.
> >
> >> <snip>
> >> > I've tried installing and loading the latest "cackey" libraries (see
> >>
> >> I know nothing about cackey libraries, but it's possible that, and pcscd
> >> are arguing.
> >>
> >> I don't see pcscd installed.
> >
> > pcsc-lite-1.5.2-14.el6.x86_64 (listed on original post) contains pcscd.
> > Sure that's possible but I see nothing to support that in the system
> > logs
> 
> Watch out that opensc that *doesn't* come with pcscd isn't loaded. Oh,
> also, new card - do you have a new CA chain? Is that installed?
> <snip>
> 
>       mark, who has a new card a few weeks ago, and had to deal with the
>                 CA change from Verizon to Entrust....

Yes, I learned to avoid opensc years ago when we first setup the CACs.

A missing CA cert turned out to be the problem. I checked after Jason
Pyeron was kind enough to mention "MAIL CA-32" listed on my CAC cert
lookup. Sure enough, it was missing in the Firefox CA store but present
in the Thunderbird store. This explains why I could sign and encrypt
email but not access .mil web sites. When I used the dod_configuration
mozilla add-on to update the certs I assumed it would get them all.
Apparently not. In fact, I think it deleted this cert because I recorded
everything on my previous CAC before getting the new one. It was also
using CA-32. I ended up just exporting the cert from Thunderbird and
importing it into Firefox.

./Cal


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux