Common Access Card
This page explains how to setup Arch to use a US Department of Defense Common Access Card (CAC).
Installation
Configuration
If your card reader does not have a pin pad, uncomment enable_pinpad = false in /etc/opensc.conf.
Sometimes opensc can struggle to identify the proper driver for CAC, instead it may choose PIV or something else. You can force the CAC driver by editing /etc/opensc.conf for card_drivers = cac and force_card_driver = cac
Enable pcscd
Start and enable pcscd.socket.
Configure browser
- Go to: https://public.cyber.mil/pki-pke/pkipke-document-library/
- Download certs: "PKI CA Certificate Bundles: PKCS#7 For DoD PKI Only - Version 5.9" (ZIP Download)
- Unzip the DoD PKI zip
- Follow browser-specific instructions
Load security device
Navigate to Edit > Preference > Advanced > Certificates > Security Devices and click "Load" to load a module using or .
Import the DoD Certificates
Install the certificates from the mentioned zip-file in this order, by going to Edit > Preference > Advanced > Certificates > View Certificates > Authorities > Import (make sure to at-least check the box for "Trust this CA to identify websites"):
- Certificates_PKCS7_v5.9_DoD.der.p7b
- Certificates_PKCS7_v5.9_DoD_DoD_Root_CA_2.der.p7b
- Certificates_PKCS7_v5.9_DoD_DoD_Root_CA_3.der.p7b
- Certificates_PKCS7_v5.9_DoD_DoD_Root_CA_4.der.p7b
- Certificates_PKCS7_v5.9_DoD_DoD_Root_CA_5.der.p7b
- Certificates_PKCS7_v5.9_DoD.pem.p7b
Chromium/Google Chrome
1. Add the CAC Module to the NSS DB.
Ensure that your CAC is connected, that Chromium is closed and enter the following in a terminal:
$ modutil -dbdir sql:$HOME/.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/opensc-pkcs11.so
Upon success you will see "Module "CAC Module" added to database."
2. Check if the CAC Module was successfully added with
3. Navigate (in a shell) to the location of the unzip DoD PKI files and install via:
for n in $(ls * | grep Chrome); do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done
or
Re-open Chrome, Navigate to Settings > Show Advanced Settings > Manage Certificates > Authorities to load CA bundle from the PEM-formatted file from above.
4. Verify the authority is in Chrome under Settings > Show Advanced Settings > Manage Certificates > Authorities then expand "org-U.S. Government" and you should see a number of "DoD" certificates listed.
VMware Horizon Client
Install , , and . Start and enable .
To integrate CAC authentication with the VMware Horizon Client, create the directory and link the pkcs11 library:
# ln -s /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib/vmware/view/pkcs11/libopenscpkcs11.so
Testing
Visit your favorite CAC secured web page and you should be asked for the Master Password for your certificate. Enter it and if you get in, you know it is working.
If some sites/pages seem to have a problem working correctly (e.g. outlook web access will not authenticate the session for DoD webmail) try using a private/incognito session to test validity of the cert chain and remove some variables.
If you would like to manually query the certificates on a PIN enabled CAC/SmartCard, use the following command:
p11tool --login --provider=/usr/lib64/pkcs11/opensc-pkcs11.so --list-all-certs -d 100
Debugging
opensc-tool
Most of this information was found in a blog post by Firas Kraïem
Verify opensc can see your reader:
List plugged in card:
List plugged in card and drive in use:
$ opensc-tool --reader 0 --name -v
Connecting to card in reader Generic USB2.0-CRW [Smart Card Reader Interface] (20070818000000000) 00 00... Using card driver Personal Identity Verification Card. Card name: Personal Identity Verification Card
pcsc-tools
An other option is . The program may be helpful