CAC/ECA card Site Access Setup

This page contains instructions on how to configure your system and web browser to use the PKI certificates contained on your CAC/ECA card for web site login and personal identity confirmation. Different operating systems and browsers have different processes to prepare for the use of these certificates.

System and Web Browser Setup

You will need:
  • Your PKI certificate (usually contained on your CAC/ECA card)
  • A card reader
  • Middleware (if necessary, depending on your operating system version)


Some of these configuration steps may have already been accomplished by your System Administrator:

  1. Obtain and install card reader.
    Work with your organization to obtain card reader for your system.
  2. Install middleware, if necessary.
    If not already installed by your System Administrators, you may need additional middleware. Middleware enables the PKI certificates stored on your card to interface with the many Public Key Enabled (PKE) applications on your system and across the Internet. Two of the most common middleware applications used across the DoD are ActivClient and 90meter.

    Please contact your local helpdesk for more information on the middleware requirements for your organization.
  3. Install DoD root certificates with latest InstallRoot tool.
    In order for your machine to recognize your PKI certificates and DoD websites as trusted, run the InstallRoot utility to install the DoD CA certificates.
    Use the instructions on installing and using the InstallRoot application in the InstallRoot User Guide.
  4. Make certificates available to your browser, if necessary.
    Different browsers have different processes to prepare them for the use of your certificates. Major browser types have been broken out into separate sections.

    Internet Explorer

    To Configure Internet Explorer to Use PKI Certificates:

    All that should be required to allow Internet Explorer to use your certificates is to verify that your certificates are already available to browser.

    1. Open Internet Explorer and then open its options, either by using the menu and going to "Tools" --> "Internet Options", or using the method shown in the screenshot below.

      Screenshot - IE Internet Options
    2. Click on the "Content" tab and then click on the "Certificates" button.

      Screenshot - IE Click Certificates
    3. On the Personal tab, review the list of certificates to determine if your certificates are in the list.
    4. If your certificates appear in the list, you are finished. If the certificates do not appear in the list, please ensure that middleware is installed correctly.

    Firefox

    Install Certificates Using InstallRoot (If Necessary)

    If your certificates were not installed for Firefox during your previous use of the InstallRoot utility, follow these steps.
    1. Open the InstallRoot tool. If you have not already added the Firefox certificate store to InstallRoot, the tool will discover your store and prompt you to add it.

      Screenshot - Add Firefox Certificate Store
    2. Click "Yes" to add the NSS Store to the InstallRoot management interface.
    3. In the InstallRoot interface, select the "Firefox" tab and verify that the "Install DoD Certificates" is enabled, as indicated by a green checkmark. If it is not, enable it by right-clicking on the text and selecting "Subscribe".
    4. NOTE: The Firefox certificate store cannot be modified while the application is running.

      Close the Firefox browser.
    5. In the InstallRoot interface, click the "Install Certificates" button.

      Screenshot - Install Certificates
    6. Finally, click the "OK" button to complete the process.

    To Configure Firefox to Use PKI Certificates:

    There are different processes that may be required to configure Firefox to be able to use your certificate depending on the middleware and its version being used. Instructions will be provided for two of the most common middleware applications used across the DoD, ActivClient and 90meter.

    For assistance with the procedures required when using other types of middleware, contact your local helpdesk or System Administrator.

    Using ActivClient Middleware

    As of version 6.2, ActivClient by default configures Firefox to accept the certificates without any additional configuration. You may use the following instructions to verify that it has been installed properly or if using an older version of ActivClient, these instructions will assist with proper configuration.

    1. Open Firefox and then open its options, either by using the menu and going to "Tools", then "Options", or using the method shown in the screenshot below.

      Screenshot - Firefox Options
    2. Select "Advanced" icon on the left side menu, and click the "Certificates" tab option.

      Screenshot - Firefox Options Advanced
    3. Ensure that the checkbox next to "Query OCSP responder servers to confirm the current validity of certificates" is checked.
    4. Next, click on the "Security Devices" button.
    5. Click the "Load" button on the right.

      Screenshot - Firefox Device Manager
    6. For the "Module Name", you can enter something similar to "ActivClient".
    7. For "Module Filename", browse to the location of the ActivClient PKCS11 library's acpkcs211.dll file.
      ActivClient 6.2 (typical location):   C:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll
      ActivClient 6.1 and earlier (typical location):   C:\Windows\system32\acpkcs201-ns.dll

      Screenshot - Firefox Load Device
    8. Click the "OK" button at the "Load PKCS#11 Device" window, and finally click the last "OK" button to confirm the install of this security module.
    9. The confirmation message will show that the new security device was loaded. The certificates can now be used with the browser. Click the "OK" button to close the window.

    Using 90meter Middleware

    1. Open Firefox and then open its Add-ons, either by using the menu and going to "Tools", then "Add-ons", or using the method shown in the screenshot below.

      Screenshot - Firefox Add-ons
    2. Select "Extensions" on the left side menu and then click the "Enable" button on the "90meter PKCS11 Support Extension 1.4.0.0" extension.

      Screenshot - Firefox 90meter PKCS11 Support Extension
    3. Click the "Restart now" link to restart Firefox.

    Chrome

    To Configure Google Chrome to Use PKI Certificates:

    All that should be required to allow Chrome to use your certificates is to verify that your certificates are already available to browser.

    1. Open Chrome and then open its settings, by clicking the menu icon on the top right of the window and select "Settings".

      Screenshot - Chrome Open Settings
    2. Scroll to the bottom of the settings and click the "Show advanced settings..." link.

      Screenshot - Chrome Advanced Settings
    3. Scroll further down the settings and click the "Manage Certificates" button under the HTTPS/SSL heading.
    4. On the Personal tab, review the list of certificates to determine if your certificates are in the list.
    5. If your certificates appear in the list, you are finished. If the certificates do not appear in the list, please ensure that middleware is installed correctly.

System and Web Browser Setup

You will need:
  • Your PKI certificate (usually contained on your CAC/ECA card)
  • A card reader


Some of these configuration steps may have already been accomplished by your System Administrator:

  1. Obtain and install card reader.
    Typically Macs do not come with card readers and therefore an external card reader is necessary. Work with your organization to obtain card reader for your system.
  2. Download and install the OS X Smartcard Services package.
    The OS X Smartcard Services Package allows a Mac to read and communicate with a smart card. In order for your machine to recognize your card's certificates and DoD websites as trusted, the installer will load the DoD CA certificates on OS X.

    Installation Instructions

    Smartcard Services Installation Instructions for Mac OS X versions 10.7 and Later

    1. Download the installer for your version of OS X from the Installers section of http://smartcardservices.macosforge.org/trac/wiki/installers (NIPR ONLY LINK).
    2. Unzip the installer.
    3. Launch the unzipped (.pkg) installer.
    4. Click "Continue" through the Introduction section.
    5. Click "Continue" through the Read Me section.
    6. On the Destination Select screen, select "Install for all users of this computer" and click "Continue".
    7. Click "Continue" and then click "Install" on the Installation Type screen.
    8. Enter your password and click "Install Software" to complete the installation.
    9. Click "Close" to close the installer.

    Smartcard Services Installation Instructions for Mac OS X versions 10.6 and Below

    The Smartcard Services software is already included in OS X 10.6 and below. However, the SystemCACertificates Keychain may still need to be loaded into Keychain Access. To ensure this has been done, please follow these instructions:

    1. Navigate in Finder to "Go" --> "Utilities" and launch Keychain Access.app.
    2. If the SystemCACertificates keychain is loaded in Keychain Access, you are finished. If the SystemCACertificates keychain is not shown, continue with Steps 3 and 4.

      Screenshot - Mac Keychain Access
    3. From Keychain Access "File" --> "Add Keychain".
    4. Select "Hard Disk" from the drop-down menu and navigate to "System" --> "Library" --> "Keychains" --> "SystemCACertificates.keychain". Select Add.


    Note: CACs and other PKI tokens are currently made of different kinds of card stock. To determine what card stock you have, look at the back of your card above the magnetic strip. Most are supported by the Smartcard Services package, however Oberthur ID One 128 v5.5 CACs are not. Third party middleware is available that will support these tokens; two such options are Thursby Software’s PKard and Centrify’s Express for Smart Card.

  3. Address the cross-certificate chaining issue.
    If required, use the instructions below to adjust the trust settings on the Interoperability Root CA (IRCA) > DoD Root CA 2 and the US DoD CCEB IRCA 1 > DoD Root CA 2 certificates to prevent cross-certificate chaining issues. This can make it appear that your certificates are issued by roots other than the DoD Root CA 2 and can prevent access to DoD websites.

    Cross-certificate Chaining Resolution Instructions

    Installing the DoD Root CA 2 Certificate

    1. Navigate in Finder to "Go" --> "Utilities" and launch Keychain Access.app.
    2. In the Keychain Access window, select the "Login" keychain on the left hand side.
    3. Download and unzip the PKCS7 certificate bundle for DoD (NIPR ONLY LINK).
    4. From Keychain Access.app:
      1. Select "File" --> "Import Items".
      2. Navigate to the unzipped PKCS7 certificates folder.
      3. Select "DoD_PKE_CA_chain.pem" and select "Open". Enter your password if prompted.

    Removing the Cross Certificates

    Because both cross certificates and the DoD Root CA 2 certificate have the same Subject Key Identifier, the cross certificates will need to be removed from the login keychain.

    1. Navigate in Finder to "Go" --> "Utilities" and launch Keychain Access.app.
    2. In the Keychain Access window, select the "Login" keychain on the left hand side.
    3. Scroll through the list of certificates to find each DoD Root CA 2 certificate with the blue certificate icon pictured below. (If these certificates are not present in the login keychain skip to the next section.)

      Screenshot - Mac Remove Cross Certificates Cert List
    4. Right-click on each certificate in Keychain Access and select "Get Info".
    5. Verify that the issuer common name field lists either "DoD Interoperability Root CA 1" (as shown on the image below) or "US DoD CCEB Interoperability Root CA 1".

      Screenshot - Mac Remove Cross Certificates Cert List
    6. Delete each certificate by right-clicking on it in Keychain Access and selecting "Delete" (enter your password if prompted).

    Marking the Cross Certificates as Untrusted

    Now each cross certificate needs to be loaded back into the login keychain and marked as untrusted.

    1. Navigate in Finder to "Go" --> "Utilities" and launch Keychain Access.app.
    2. In the Keychain Access window, select the "Login" keychain on the left hand side.
    3. Download and extract the Certificates_PKCS7_v4.1_DoD.zip zip file with both cross certificates to your desktop (NIPR ONLY LINK).
    4. Double-click on each certificate on your desktop, select "Login", and click "OK" (Enter your password if prompted).
    5. Scroll through the list of certificates for the DoD Root CA 2 certificates with the blue icons as pictured below.

      Screenshot - Mac Untrust Certificates Cert List
    6. Right-click on each certificate in Keychain Access and select "Get Info".
    7. Click the arrow next to "Trust" to expand the menu.
    8. Next to "When using this certificate" select "Never Trust" from the drop-down menu.

      Screenshot - Mac Remove Cross Certificates Cert List
    9. Delete each certificate by right-clicking on it in Keychain Access and selecting "Delete" (enter your password if prompted).

    Ensuring your PKI Certificates are Trusted

    1. Navigate in Finder to "Go" --> "Utilities" and launch Keychain Access.app.
    2. In the Keychain Access window, select your certificate on the left hand side.
    3. Click on one of the certificates on your card and verify that it has a green check mark indicating that it is valid (see image below).

      Screenshot - Mac Trust Certificates Info
  4. Configure Chrome and Safari, if necessary.
    Safari and Google Chrome rely on Keychain Access properly recognizing your certificates.

    1. Navigate in Finder to "Go" --> "Utilities" and launch KeychainAccess.app.
    2. Verify that your certificates are recognized and displayed in Keychain Access.

      Screenshot - Mac Keychain Access

System and Web Browser Setup

You will need:
  • Your PKI certificate (usually contained on your CAC/ECA card)
  • A card reader
  • Middleware


Some of these configuration steps may have already been accomplished by your System Administrator:

  1. Obtain and install card reader.
    Work with your organization to obtain card reader for your system.
  2. Install middleware, if necessary.
    You will need middleware for Linux to communicate with your PKI certificate. The CoolKey PKCS#11 module provides access to the certificates and can be installed using Linux package management commands.

    • For Debian-based distributions, use the command apt-get install coolkey
    • For Fedora-based distributions, use the command yum install coolkey. The CoolKey PKCS #11 module version 1.1.0 release 15 ships with RHEL 5.7 and above, and is located at /usr/lib/pkcs11/libcoolkeypk11.so.
  3. Configure Firefox to trust the DoD PKI and use your certificates.
    To configure Firefox to communicate with your certificates, follow these below instructions to install the DoD root and intermediate CA certificates into the Firefox NSS trust store, load the CoolKey library, and ensure the Online Certificate Status Protocol (OCSP) is being used to perform revocation checking.

    Instructions

    Install the DoD Root and Intermediate CA Certificates

    1. Download the InstallRoot 3.x A (NIPR ONLY LINK) package containing the DoD CA certificates. Save the package locally. Extract the zip file and navigate within the extracted directory structure to InstallRoot_A --> PKCS7.
    2. Open Firefox and then open its preferences using the menu bar by clicking "Edit" --> "Preferences"

      Screenshot - Linux Firefox Open Preferences
    3. In the Preferences window, go to "Advanced" --> "Certificates" --> "View Certificates".
    4. Select the "Authorities" tab and click the "Import..." button.

      Screenshot - Linux Firefox Cert Authorities
    5. In the Import window, change the file type to "All Files" and then select "InstallRoot_PKCS7_v<version>.der.p7b", from the PKCS folder within the InstallRoot directory. Click the "Open" button.
    6. In the Downloading Certificate window, check the following three checkboxes to trust the DoD Root CA 2 Certificate Authority:

      • Trust this CA to identify websites
      • Trust this CA to identify email users
      • Trust this CA to identify software developers
    7. Click the "OK" button.

      NOTE: All root and intermediate certificates will be imported. These certificates will show up under the "U.S. Government" heading in the Certificate Manager. To verify the root certificate authority is trusted, select "DoD Root CA 2" and click the "Edit Trust..." button. All three checkboxes should be checked.
    8. Click the "OK" button to close the Certificate Manager window.
    9. Click the "Close" button to close the Firefox Preferences window.

    Load the CoolKey Library into Firefox

    1. In Firefox, open its preferences using the menu bar by clicking "Edit" --> "Preferences".
    2. In the Preferences window, go to "Advanced" --> "Certificates" and click the "Security Devices" button.
    3. In the new window, click the "Load" button.
    4. Enter "CoolKey Module" as the Module Name.
    5. Click the "Browse" button to the right of the Module filename field. Browse to the location of the CoolKey PKCS#11 library and select "libcoolkeypk11.so". The library is typically located at /usr/local/lib/pkcs11/libcoolkeypk11.so.

      Screenshot - Linux Firefox Cert Authorities
    6. Click "OK", and then click "OK" again in the confirmation window.
    7. The confirmation message will show that the CoolKey security device was loaded. Your PKI certificates can now be used with the browser. Click the "OK" button to close the window.
    8. Ensure OCSP is being used to perform revocation checking, by within the Preferences window, click the "Validation" button under the "Advanced" --> "Certificates" tab.
    9. Ensure both of the following options are checked:

      • Use the OCSP to confirm the current validity of certificates
      • When an OCSP server connection fails, treat the certificate as invalid


      Screenshot - Linux Firefox Certificate Validation
    10. Click the "OK" button to close the Certificate Validation window.
    11. Click the "Close" button to close the Firefox Preferences window.