I'm having some issues with CAC and 10.4
I've done testing on OS X 10.4.1 on a standard journaled file system
and on a case-sensitive, journaled file system, with no apparent
difference between them.
The only configuration setup I attempted is in Keychain Access and
that configuration step refuses to "stick" on my machine. (I also
tried sc_auth accept but I get "Access Restricted" and I don't know
what that means).
OS X Mail works with encryption, decryption, and signing with no
additional configuration.
Safari responds with "The client certificate has been revoked"
when I
visit a local PKI enabled site (it's optional for this site
hopefully
that is not the cause of the problem). Mozilla also can not access
that site under 10.4 if the CAC is in.
My CAC card reader is a ActivCard reader that was flashed to work
with 10.3 and I have to assume it is working fine since OS X Mail is
fully operational in CAC functions. sc_hash gives the hashes for
all
three keys on the CAC.
On May 9, 2005, at 2:45 PM, Shawn Geddis wrote:
Smart Cards in "Tiger" - 10.4.x
=====================
Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
abstracted as keychains
Can the Smart Card keychain be seen in the "Keychain Access"
application and where? On my machine, the sections labeled "keys"
and "My certificates" are empty.
** Address Book
Now also displays the "signing" check symbol just left of email
addresses that the user has corresponding Public Cert in their
keychain. The Cert is NOT stored in the keychain, but represents a
relationship with one in one of the currently active keychains.
This works, but I think there is a wording error here, the Cert is
stored in the keychain, it is NOT stored in the Address Book.
"Common Access Card Viewer" functionality is largely now available
since the Smart Cards appear as dynamic keychains. You can view
the Certificate and Key information as well as change the PIN on
the card by selecting the "Change Password for Keychain ...".
This does not work at all for me, the only keychain I have is my
regular software keychain, I see no evidence of the CAC card in
Keychain Access.
2) The DoD Intermediate CAs are not available to the Keychain List
by default
-- Federal Customers within DoD will need to add the
"X509Certificates" to the list
a) Launch Keychain Access
b) Select "Edit -> Keychain List"
c) Select "Show: Mac OS X (System)"
d) Check "Shared" checkbox next to
"X509Certificates" (/System/Library/Keychains)
e) X509Certificates will now appear in the Keychains
List and will be available for
Intermediates for the whole trust path
validation.
This is what totally fails on my system. First off the check mark
is not there if I immediately or any time afterwards go back into
this menu. Also, I note that I also have System /Library/Keychains
which is shared and X509Anchors /System/Library/Keychains which is
not shared (and not shareable just like X509Certificates). Under
User I also have System /Library/Keychains which is shared.
I created a brand new account and the problems existed there as
well.
Michael