Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: Shawn Geddis <email@hidden>
- Date: Tue, 14 Feb 2006 09:19:28 -0500
Michael,
I copied them from a folder where I had the certs that I had
downloaded from GDS and dragged from there to the system keychain.
I stress i only did this because they did not show up in the edit
keychain list, and this was only on one machine.
The "System" keychain is an OS managed keychain and is not one you
should rely on for your intermediates or personal certificates. It
is, however, where you must put Service Certificates like those you
use for machine level IPSec (i.e. Machine Certs for IPSec MUST be in
the System keychain).
-Shawn
On May 24, 2005, at 4:02 PM, Michael Chute wrote:
On May 24, 2005, at 2:49 PM, Michael Kluskens wrote:
Copied from where to where exactly. I have X509 Certs in
keychain access but perhaps not where you copied them to.
I copied them from a folder where I had the certs that I had
downloaded from GDS and dragged from there to the system keychain.
I stress i only did this because they did not show up in the edit
keychain list, and this was only on one machine.
Safari's use of CAC should not require any of the additional stuff
that shawn gave instructions for, it should just work, Mail just
works.
I agree it should just work, just given the error you were seeing i
thought you might want to try the other stuff to solve the
problem. there is no performance degradation if you do not use the
login.
I have six items listed for smart card #2.
that is what I have 3 public keys and 3 private keys.
On May 24, 2005, at 12:15 PM, Michael Chute wrote:
My CAC is working fine on my 10.4 installs. I have run into one
issue where the X509 Certs were not in the keychain access I just
copied them in to solve that problem.
Copied from where to where exactly. I have X509 Certs in
keychain access but perhaps not where you copied them to.
You said the only thing you tried is the keychain stuff that
shawn gave instructions for. I have not done that alone.
Safari's use of CAC should not require any of the additional stuff
that shawn gave instructions for, it should just work, Mail just
works.
In order to see the keychains in keychain access you need to
click the "show keychains button on the bottom left of the
keychain access window.
Found that now, not an obvious place to look, usually commands
like that also have a menu item which is where most users look.
I have six items listed for smart card #2.
Thanks,
MIchael
On May 24, 2005, at 10:57 AM, Michael Kluskens wrote:
I'm having some issues with CAC and 10.4
I've done testing on OS X 10.4.1 on a standard journaled file
system and on a case-sensitive, journaled file system, with no
apparent difference between them.
The only configuration setup I attempted is in Keychain Access
and that configuration step refuses to "stick" on my machine.
(I also tried sc_auth accept but I get "Access Restricted" and I
don't know what that means).
OS X Mail works with encryption, decryption, and signing with no
additional configuration.
Safari responds with "The client certificate has been revoked"
when I visit a local PKI enabled site (it's optional for this
site hopefully that is not the cause of the problem). Mozilla
also can not access that site under 10.4 if the CAC is in.
My CAC card reader is a ActivCard reader that was flashed to
work with 10.3 and I have to assume it is working fine since OS
X Mail is fully operational in CAC functions. sc_hash gives the
hashes for all three keys on the CAC.
On May 9, 2005, at 2:45 PM, Shawn Geddis wrote:
Smart Cards in "Tiger" - 10.4.x
=====================
Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
abstracted as keychains
Can the Smart Card keychain be seen in the "Keychain Access"
application and where? On my machine, the sections labeled
"keys" and "My certificates" are empty.
** Address Book
Now also displays the "signing" check symbol just left of email
addresses that the user has corresponding Public Cert in their
keychain. The Cert is NOT stored in the keychain, but
represents a relationship with one in one of the currently
active keychains.
This works, but I think there is a wording error here, the Cert
is stored in the keychain, it is NOT stored in the Address Book.
"Common Access Card Viewer" functionality is largely now
available since the Smart Cards appear as dynamic keychains.
You can view the Certificate and Key information as well as
change the PIN on the card by selecting the "Change Password
for Keychain ...".
This does not work at all for me, the only keychain I have is
my regular software keychain, I see no evidence of the CAC card
in Keychain Access.
2) The DoD Intermediate CAs are not available to the Keychain
List by default
-- Federal Customers within DoD will need to add the
"X509Certificates" to the list
a) Launch Keychain Access
b) Select "Edit -> Keychain List"
c) Select "Show: Mac OS X (System)"
d) Check "Shared" checkbox next to
"X509Certificates" (/System/Library/Keychains)
e) X509Certificates will now appear in the
Keychains List and will be available for
Intermediates for the whole trust path
validation.
This is what totally fails on my system. First off the check
mark is not there if I immediately or any time afterwards go
back into this menu. Also, I note that I also have System /
Library/Keychains which is shared and X509Anchors /System/
Library/Keychains which is not shared (and not shareable just
like X509Certificates). Under User I also have System /Library/
Keychains which is shared.
I created a brand new account and the problems existed there as
well.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40nmrc.navy.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
- Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division (Public & Private Sector)
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden