[Fed-Talk] CAC and PKI
[Fed-Talk] CAC and PKI
- Subject: [Fed-Talk] CAC and PKI
- From: Dalton Hamilton <email@hidden>
- Date: Thu, 22 Sep 2005 15:50:37 +0200
Hello -
My name is Dalton Hamilton and I work at Landstuhl Regional Medical
Center (LRMC) in Germany.
I'm the Senior European Network Engineer working for Medical Health
Systems (MHS).
We recently purchased some Macs for LRMC, some in Rota Spain, and in
Naples. We need to be able to send and received Digitally Signed and
Encrypted email from Entourage 2004 using our CAC cards.
I've worked (and am still working) with a couple Apple contacts whom
have been extremely helpful but due to the timezone differences, I'm
not making progress fast enough.
Here is where I'm at so far -- I'm running 10.4.2:
1. Upgraded the firmware on the CAC Reader to V5.18. This allowed
my system to see the CAC Reader and read the card. When I connect
the CAC Reader, the pcscd process starts.
2. I've also installed the Common Access Card Viewer (CACV)
application off the 10.4 Install DVD.
3. I then started the Keychain Access application and did Edit-
>Keychain List and clicked on the "Shared" checkbox for
X509Certificates.
3. Next I inserted my CAC ID and started the Common Access Card
Viewer and it said it was loading the CAC info and then prompted me
for my Keychain Password. At that time, I didn't realize the CAC
Card itself was treated as a KeyChain -- even though I had made the
above modifications to the Keychain Access application and could see
the card showup as as a keychain. I typed in my user password and it
prompted me again for a password, I again typed my user password, and
it prompted me again for a password and I realized it must be talking
about the CAC ID PIN number. I then typed the PIN number. Still no
luck. I had locked the card already. I drove over the the DEERS/
RAPIDS group and they unlocked by card and let me put in another PIN
(which I chose the same PIN number).
4. Once I was back at my system, I put the CAC ID in the reader and
no luck at all -- the system would not detect the ID. I unplugged
the CAC reader and plugged it back in and the system wouldn't detect
the reader. I restarted the system and then the system would see the
reader. I started Keychain Access and inserted my card and could see
it showup as a keychain. I then inserted my CAC ID and started the
CAC Viewer. It prompted for a keychain password and I very carefully
typed the correct numbers. No luck, it prompted again. This tells
me that the CAC Viewer can't communicate with the CAC ID properly.
5. I then moved on to Entourage. I setup Entourages security
settings for the Signing Certificate and Encryption Certificate. I
then sent a digitally signed email to another user. He sent me a
signed email. I added his certificate/public-key to the contact and
then sent him a signed and encrypted email. He responded with an
encrypted email which my Entourage application could not decrypt.
The error is "There was an error trying to decrypt the message or
locating your encryption certificate." The attachment folder has a
smime.p7m file in it. I double-clicked the smime.p7m and it prompted
me to add the embedded or enclosed (or something like that)
certificate to a keychain and gave me a pulldown list of keychains
to add it to. Hmm, it didn't make sense but I tried it anyway, more
out of frustration than logical sense. I added it to the Login
keychain and the CAC Card keychain. Still nothing.
5. At the current moment, when I try to send an Digitally Signed
email, I get an Entourage error reading "Could not save this
message. An unknown error (1) occurred." and all I can do is hit
ok. I can see all the certificates and private keys on the CAC card
from the keychain access application.
6. Then sometimes I insert my card and it does not show up in the
Keychain Access list.
Since I didn't take chronological notes on all this, I'm sure some of
the above is a bit twisted; however, the point is, I'm really looking
to get this working. I need this to work as it is a requirement to
send Digitally Signed and Encrypted email for certain information. I
want these systems to be successful and if I don't get it working,
nobody else is. If anyone is monitoring this thread that can help,
I'd be glad to give you a call or work offline via my military email
address..
Many thanks
Dalton Hamilton
TIMPO Europe Senior Network Engineer
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden