I'm attempting to create a local web server using Flask
, a Python microframework, that uses the PKIs on a DoD CAC.
I've created the self-signed root CA and server certificate and key following this set of instructions. I then downloaded the necessary CA files from here which were:
- DOD ID CA-49
- DOD EMAIL CA-50
From there I've loaded up the following basic "hello world" application:
import ssl
from flask import Flask
app = Flask(__name__)
@app.route("/")
def main():
return "Hello World"
if __name__ == '__main__':
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations('DODIDCA_49.pem')
ctx.load_cert_chain('localhost.crt', 'localhost.key')
app.run(ssl_context=ctx)
This runs on https://127.0.0.1:5000/
and when I visit it through Microsoft Edge it prompts me for my CAC credentials (which I can pick either certificate to use and enter my PIN). Once my PIN is input, the page reloads and says the website is not secure. If I removedd the verify_mode
and load_verify_locations
lines, I'm no longer prompted for my CAC credentials and the website loads to print the text.
I desire the previous sequence which requires me to pick a valid credential, but I cannot figure out how to get the browsers to trust the server certificates in conjuncture with the DoD CAs provided.
How can I accomplish this on Windows 10?