Re: [Fed-Talk] CAC and PKI
Re: [Fed-Talk] CAC and PKI
- Subject: Re: [Fed-Talk] CAC and PKI
- From: "Timothy J. Miller" <email@hidden>
- Date: Thu, 22 Sep 2005 09:58:04 -0500
There's a bug with 10.4.x where the process that controlls the reader
crashes when the system goes to sleep, and can't be restarted properly
afterward. It doesn't matter if the reader was detached prior to sleep
or not. You need to reboot for the reader to be accessible again.
I've never had the PIN entry problem you describe.
Entourage doesn't use Keychain at all, if I remember correctly.
Mail.app will see the smartcard (assuming the controlling process hasn't
died on you) and use it properly. This is entirely a Microsoft issue.
FYI, there's also a bug in Safari (actually, I would assume it's
WebCore) where it won't use the certs that are in the smartcard keychain
if you hold *any* certificate and private key in your login keychain.
This includes SSL client authentication where the server specifies the
DoD PKI root correctly.
Not much help, I know, but just so you know you're not crazy. ;)
The above bugs are already submitted to Apple. I wish I could comment
more on them but I can't.
(FWIW, I support the AF PKI SPO, so I'm kinda keen on these issues.)
-- Tim
Dalton Hamilton wrote:
Hello -
My name is Dalton Hamilton and I work at Landstuhl Regional Medical
Center (LRMC) in Germany.
I'm the Senior European Network Engineer working for Medical Health
Systems (MHS).
We recently purchased some Macs for LRMC, some in Rota Spain, and in
Naples. We need to be able to send and received Digitally Signed and
Encrypted email from Entourage 2004 using our CAC cards.
I've worked (and am still working) with a couple Apple contacts whom
have been extremely helpful but due to the timezone differences, I'm
not making progress fast enough.
Here is where I'm at so far -- I'm running 10.4.2:
1. Upgraded the firmware on the CAC Reader to V5.18. This allowed my
system to see the CAC Reader and read the card. When I connect the CAC
Reader, the pcscd process starts.
2. I've also installed the Common Access Card Viewer (CACV)
application off the 10.4 Install DVD.
3. I then started the Keychain Access application and did Edit-
>Keychain List and clicked on the "Shared" checkbox for X509Certificates.
3. Next I inserted my CAC ID and started the Common Access Card Viewer
and it said it was loading the CAC info and then prompted me for my
Keychain Password. At that time, I didn't realize the CAC Card itself
was treated as a KeyChain -- even though I had made the above
modifications to the Keychain Access application and could see the card
showup as as a keychain. I typed in my user password and it prompted
me again for a password, I again typed my user password, and it
prompted me again for a password and I realized it must be talking
about the CAC ID PIN number. I then typed the PIN number. Still no
luck. I had locked the card already. I drove over the the DEERS/
RAPIDS group and they unlocked by card and let me put in another PIN
(which I chose the same PIN number).
4. Once I was back at my system, I put the CAC ID in the reader and no
luck at all -- the system would not detect the ID. I unplugged the CAC
reader and plugged it back in and the system wouldn't detect the
reader. I restarted the system and then the system would see the
reader. I started Keychain Access and inserted my card and could see
it showup as a keychain. I then inserted my CAC ID and started the CAC
Viewer. It prompted for a keychain password and I very carefully typed
the correct numbers. No luck, it prompted again. This tells me that
the CAC Viewer can't communicate with the CAC ID properly.
5. I then moved on to Entourage. I setup Entourages security settings
for the Signing Certificate and Encryption Certificate. I then sent a
digitally signed email to another user. He sent me a signed email. I
added his certificate/public-key to the contact and then sent him a
signed and encrypted email. He responded with an encrypted email which
my Entourage application could not decrypt. The error is "There was an
error trying to decrypt the message or locating your encryption
certificate." The attachment folder has a smime.p7m file in it. I
double-clicked the smime.p7m and it prompted me to add the embedded or
enclosed (or something like that) certificate to a keychain and gave
me a pulldown list of keychains to add it to. Hmm, it didn't make
sense but I tried it anyway, more out of frustration than logical
sense. I added it to the Login keychain and the CAC Card keychain.
Still nothing.
5. At the current moment, when I try to send an Digitally Signed
email, I get an Entourage error reading "Could not save this message.
An unknown error (1) occurred." and all I can do is hit ok. I can see
all the certificates and private keys on the CAC card from the keychain
access application.
6. Then sometimes I insert my card and it does not show up in the
Keychain Access list.
Since I didn't take chronological notes on all this, I'm sure some of
the above is a bit twisted; however, the point is, I'm really looking
to get this working. I need this to work as it is a requirement to
send Digitally Signed and Encrypted email for certain information. I
want these systems to be successful and if I don't get it working,
nobody else is. If anyone is monitoring this thread that can help, I'd
be glad to give you a call or work offline via my military email address..
Many thanks
Dalton Hamilton
TIMPO Europe Senior Network Engineer
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden