Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: Michael Chute <email@hidden>
- Date: Tue, 24 May 2005 16:02:09 -0400
On May 24, 2005, at 2:49 PM, Michael Kluskens wrote:
Copied from where to where exactly. I have X509 Certs in
keychain access but perhaps not where you copied them to.
I copied them from a folder where I had the certs that I had
downloaded from GDS and dragged from there to the system keychain. I
stress i only did this because they did not show up in the edit
keychain list, and this was only on one machine.
Safari's use of CAC should not require any of the additional stuff
that shawn gave instructions for, it should just work, Mail just
works.
I agree it should just work, just given the error you were seeing i
thought you might want to try the other stuff to solve the problem.
there is no performance degradation if you do not use the login.
I have six items listed for smart card #2.
that is what I have 3 public keys and 3 private keys.
On May 24, 2005, at 12:15 PM, Michael Chute wrote:
My CAC is working fine on my 10.4 installs. I have run into one
issue where the X509 Certs were not in the keychain access I just
copied them in to solve that problem.
Copied from where to where exactly. I have X509 Certs in
keychain access but perhaps not where you copied them to.
You said the only thing you tried is the keychain stuff that
shawn gave instructions for. I have not done that alone.
Safari's use of CAC should not require any of the additional stuff
that shawn gave instructions for, it should just work, Mail just
works.
In order to see the keychains in keychain access you need to click
the "show keychains button on the bottom left of the keychain
access window.
Found that now, not an obvious place to look, usually commands like
that also have a menu item which is where most users look.
I have six items listed for smart card #2.
Thanks,
MIchael
On May 24, 2005, at 10:57 AM, Michael Kluskens wrote:
I'm having some issues with CAC and 10.4
I've done testing on OS X 10.4.1 on a standard journaled file
system and on a case-sensitive, journaled file system, with no
apparent difference between them.
The only configuration setup I attempted is in Keychain Access
and that configuration step refuses to "stick" on my machine. (I
also tried sc_auth accept but I get "Access Restricted" and I
don't know what that means).
OS X Mail works with encryption, decryption, and signing with no
additional configuration.
Safari responds with "The client certificate has been revoked"
when I visit a local PKI enabled site (it's optional for this
site hopefully that is not the cause of the problem). Mozilla
also can not access that site under 10.4 if the CAC is in.
My CAC card reader is a ActivCard reader that was flashed to work
with 10.3 and I have to assume it is working fine since OS X Mail
is fully operational in CAC functions. sc_hash gives the hashes
for all three keys on the CAC.
On May 9, 2005, at 2:45 PM, Shawn Geddis wrote:
Smart Cards in "Tiger" - 10.4.x
=====================
Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
abstracted as keychains
Can the Smart Card keychain be seen in the "Keychain Access"
application and where? On my machine, the sections labeled
"keys" and "My certificates" are empty.
** Address Book
Now also displays the "signing" check symbol just left of email
addresses that the user has corresponding Public Cert in their
keychain. The Cert is NOT stored in the keychain, but
represents a relationship with one in one of the currently
active keychains.
This works, but I think there is a wording error here, the Cert
is stored in the keychain, it is NOT stored in the Address Book.
"Common Access Card Viewer" functionality is largely now
available since the Smart Cards appear as dynamic keychains.
You can view the Certificate and Key information as well as
change the PIN on the card by selecting the "Change Password for
Keychain ...".
This does not work at all for me, the only keychain I have is my
regular software keychain, I see no evidence of the CAC card in
Keychain Access.
2) The DoD Intermediate CAs are not available to the Keychain
List by default
-- Federal Customers within DoD will need to add the
"X509Certificates" to the list
a) Launch Keychain Access
b) Select "Edit -> Keychain List"
c) Select "Show: Mac OS X (System)"
d) Check "Shared" checkbox next to
"X509Certificates" (/System/Library/Keychains)
e) X509Certificates will now appear in the Keychains
List and will be available for
Intermediates for the whole trust path
validation.
This is what totally fails on my system. First off the check
mark is not there if I immediately or any time afterwards go back
into this menu. Also, I note that I also have System /Library/
Keychains which is shared and X509Anchors /System/Library/
Keychains which is not shared (and not shareable just like
X509Certificates). Under User I also have System /Library/
Keychains which is shared.
I created a brand new account and the problems existed there as
well.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40nmrc.navy.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden