Jack et. al.,
Quick comments on the questions and corrections on some of the responses that have been provided .... inline below...
From: Jack Roddy <email@hidden> Date: 12/22/2009 07:09 AM Subject: [Fed-Talk] Root Cert on MacBookPro Question
Can someone run down the steps needed to download and install the DOD root certificate to a MacBook Pro?
Unlike some other environments, on Mac OS X, there is no need to download/install US Federal Government Certificates (DoD / Federal PKI). Mac OS X 10.6.2 has the following shipped as part of the OS:
______
Keychain Name: Cert Count: Location: System Roots (167) /System/Library/Keychains/SystemRootCertificates.keychain (This is an immutable [non-modifiable] credential store for pre-trusted Root CA Certificates)
Federal PKI - Common Policy FBCA - Common Policy 2048 bit Oct 6, 2004 -> Oct 6, 2010 - Common Policy FBCA - Common Policy 2048 bit Oct 15, 2007 -> Oct 15, 2027
DoD PKI - DoD CLASS 3 Root CA DoD PKI 1024 bit May 19, 2000 -> May 14, 2020 - DoD Root CA 2 DoD PKI 2048 bit Dec 13, 2004 -> Dec 5, 2029
US Federal - External PKI - ECA Root CA US Federal Govt / ECA 1024 bit June 14, 2004 -> June 14, 2040
**NOTE* Many folks continue to mistakenly enable the old, deprecated X509Anchors keychain which was last used by Apple in Mac OS X 10.4.x. That Keychain still exists solely due to reliance by some versions of Microsoft's Office for Mac, but is not use by Mac OS X itself since Mac OS X 10.4.x. Keychain
[/System/Library/Keychains/X509Anchors]
______
Keychain Name: Cert Count: Location: SystemCACertificates (48) /System/Library/Keychains/SystemCACertificates.keychain (This is a mutable [modifiable] credential store pre-populated with Intermediate CA Certificates)
DoD PKI - Intermediate Associated Root CA - DOD CA-11 ... DOD CA-24 -- DOD Root CA 2 - DOD EMAIL CA-11 ... DOD EMAIL CA-24 -- DOD Root CA 2 - DoD Intermediate CA-1 -- DoD Root CA 2 - DoD Intermediate CA-2 -- DoD Root CA 2
External PKI - Intermediate Associated Root CA - IdenTrust ECA 1 -- ECA Root CA - IdenTrust ECA 2 -- ECA Root CA 2 - ORC ECA -- ECA Root CA - ORC ECA 2 -- ECA Root CA - ORC ECA Foreign Nationals CA 1 -- ECA Root CA - ORC ECA -- ECA Root CA - ORC ECA HW 3 -- ECA Root CA 2 - ORC ECA SW 3 -- ECA Root CA 2 - VeriSign Client External Certificate Authority -- ECA Root CA - VeriSign Client External Certificate Authority - G2 -- ECA Root CA 2
I thought I had my system setup since I’m sending and receiving signed e-mails and able to encrypt.
If you have *enabled* (not installed as some refer) the SystemCACertificates then you will be able to Sign/Encrypt to anyone within the US Federal Government given you use the right email address from their certificate (case-sensitive with all left of the '@').
However, I’ve gone to a few sites and can’t log on as it reports I don’t have the correct certificate.
That is not what that means. Refer to the message I have attached below titled: "[Discussion] (2) Card recognized, but I cannot access PKI protected Websites"
Short explanation here, but read the attached message for complete clarity: Some DoD website' configuration causes some challenges for users with respect to required changes to PKI on Mac OS X.
1) Site Allows Multiple Authentication Types, but expect you to authenticate with your Smart Card - If the Site is set to *Require* X.509 Cert for authentication, you will be prompted by Safari for Cert Selection - If the Site is set to allow multiple types, you will need to manually create an IDPRef (can use Wildcards now) 2) Site Has embedded content from multiple Servers (sometimes from different sub-domains). - Will require either a single Wildcard IDPref or multiple URL specific IDPrefs.
I’m guessing that I don’t have the root certificate installed correctly.
No need for any US Federal User to install the Root / Intermediate Certificates.
My key ring access lists my CAC Along with the X509 certificates. Thanks
Keychains are listed on the upper left corner of Keychain Access window with all Smart Cards listed at the top of the list.
Many folks continue to mistakenly enable the old, deprecated X509Anchors keychain which was last used by Apple in Mac OS X 10.4.x. That Keychain still exists solely due to reliance by some versions of Microsoft's Office for Mac, but is not use by Mac OS X itself since Mac OS X 10.4.x.
On Dec 22, 2009, at 1:54 PM, Jack Roddy wrote:
I have installed the keychain indicated below have identified the website in my preference for each certificate.
When I go to a protected website “HTTPS” a dialog box drops down stating: the website “url” did not accept the certificate “unknown”.
Note that this might be a site configured as noted above. Read and address using the information noted in the attached message. Creation of a single Wildcard IDPRef for " https://*.navy.mil/ mapped to the single, correct certificate should be quite useful for you.
This website requires a certificate to validate your identity. Select the certificate to use when you connect to this website, and then click continue. It then lists the three certificates on my CAC.
Once you select one, the OS auto-creates an IDPref for mapping the specific URL to the Certificate. If you create a single Wildcard IDPref , you would not be prompted for this for any server within the domain defined within the mapping. Keep in mind, that it is perfectly allowed to map https://*.mil/ to cover everything under DoD and https://*.gov/ for civilian agencies, etc.
When I select one and click continue it just recycles back to the same dialog box and never completes the connection.
As noted before, this may not be that it is not accepted for your last selection, but rather the site has multiple (embedded) objects that require authenticating to multiple servers.
On 12/22/09 11:55 AM, "Ryan G Kim" <
email@hidden> wrote:
Did you install the SystemCACertificates keychain?
Launch keychain
Add Keychain
System->Library->Keychains->SystemCACertificates.keychain
To be technically correct, you do not *install* a keychain, but "Add" a Keychain. You launch "Keychain Access" -- You can also Add Keychains to the list two other ways: 1) Double-click a Keychain file 2) Use CLI tool /usr/bin/security Note usage with: security list-keychains -h
All questions / comments should be asked on the SmartCardServices-User Mailing list at:
http://lists.macosforge.org/mailman/listinfo http://smartcardservices.macosforge.org/
- Shawn ________________________________________ Shawn Geddis T (703) 264-5103 Security Consulting Engineer C (703) 623-9329 Apple Enterprise Division email@hidden11921 Freedom Drive, Suite 600, Reston VA 20190-5634
____________________________________________________________________________
Date: July 2, 2008 4:15:55 PM EDT
Subject: [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
(Stepping away from vacation long enough to send some critical email)
(2) Card recognized, but I cannot access PKI protected Websites
Many of you were already working with your Smart Cards on Mac OS X 10.5.0 - 10.5.2, but after you upgraded to 10.5.3, Client-side authentication to those sites failed for you.
Customers Impacted: Smart Card users who upgraded to Mac OS X 10.5.3 Required Client Authentication to various PKI protected Web portals Issued Smart card supports the newer Block Transfer (T=1) type.
If you possibly have a Hybrid card (both CAC and PIV applets), you may still experience issues even when applying the installer from
Shawn Geddis.
Platform Affected: Mac OS X 10.5.3 - released 05/28/08
Services Affected: Safari 3.1.1 -- Web Access using Smart Cards to PKI protected US Federal Government websites (** All other services are NOT affected **) Delivery Vehicle: Specific fixes have been released as part of Mac OS X 10.5.4 *** Upgrade you system to Mac OS X 10.5.4 • Safari 3.1.2
• Keychain Access 4.0.2
Several issues were addressed related to correcting the network layer's use of the Identity Preference as well as previous crashing of Keychain Access when the Identity Preference was
accessed.
Previous User Experience: Previous to upgrading to Mac OS X 10.5.3, users were able to successfully access PKI protected Government websites using their US Federal Government Smart Cards (i.e. DoD -> CAC). In some cases, the user would need to manually configure an association between which Certificate to use for the specific URL they were accessing. Related Change in 10.5.3 Safari: • Fundamental changes within Mac OS X on how Client-side Certificates are handled Safari, Mac OS X 10.5.3: Changes in client certificate authentication
User Experience: Mac OS X 10.5.2 (and earlier) / Safari: Safari 3 automatically sends the first available client certificate in your keychain
Mac OS X 10.5.3 (and later) / Safari: You will be prompted to select a client certificate when server requests it. An Identity Preference is then created for the associated URL and Cert.
Server Side Configuration Caveat: Safari may not prompt you to select a client certificate if the server you are attempting to authenticate to is configured to *optionally* accept (rather than require) client authentication. Many of the US Federal Government web servers are configured for *optional* rather than *required*, since there is still a transition from User/Pass over to Smart Cards.
System will auto create Identity Preference *IF* Server configured for *required* As noted in the KBase article referenced above, when accessing a website configured as *required*, Safari will prompt the user for the appropriate certificate to use for client authentication, but ONLY if it is configured as *required*.
Manually Creating Identity Preferences -- Server configured for *optional* In this case you can force a particular client certificate to be sent by manually creating an identity preference item for the desired server authentication. Note that it is important to know the correct URL for the actual authentication process which may significantly differ from the standard login URL.
For example, if you are authentication to AKO:
NOTE: It is best to not try and fully qualify the complete URL, but rather just include the FQDN - Fully Qualified Domain Name for the server you are authenticating to. Also, be careful and ensure you have terminated the URL with the "/" to complete the proper host specification. For example, do not just enter the above URL as https://akocac.us.army.mil without the trailing "/", because it will fail for you.
Also, make sure that you are selecting the *proper* Certificate from the card. *Proper* means the certificate expected / required by the Server for user authentication. It may require you to check with your local Admin or help desk to determine which certificate is required for that site.
Since you are manually creating the Identity Preference, you need to ensure that you are selecting the right one. The Certificate selected is easily changed by opening up the "Identity Preference" within your default keychain using Keychain Access and selecting an alternative Certificate.
Troubleshooting: To provide you and Apple with the ability to troubleshoot why you may still be failing to authenticate to a given server, Apple enabled a debug flag which, when enabled, will log identity preference information to the System log (/\var/log/system.log).
Enable Identity Preference Debug Mode in 10.5.4 and beyond:
% defaults write com.apple.security LogIdentityPreferenceLookup -boolean true
When enabled, each identity preference lookup is written as in the following example:
Jul 1 18:12:51 /Applications/Safari.app/Contents/MacOS/Safari[386]: preferred identity: "User" found for "https://Full.Server.Name/"
These messages might allow some to correct the host name they entered in the manually configured Identity Preference.
If you are still failing, provide these log messages along with your Reader and Card information. Quickest way to capture this info is to launch Terminal and execute the following command while you have your reader attached and card inserted:
% pcsctest
Select the number (typically "1") which corresponds to the reader with the card inserted,
...capture the output from this command and include in your message directly to me.
- Shawn _____________________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise
Contents of the mentioned Kbase Article mentioned in this post:
Safari, Mac OS X 10.5.3: Changes in client certificate authentication
SummarySafari 3's handling of client certificate authentication changes in Mac OS X 10.5.3 and later. This improves the security and reliability of client certificate-authenticated connections to servers. - Mac OS X 10.5.2 and earlier behavior: Safari 3 automatically sends the first available client certificate in your keychain to the website.
- Mac OS X 10.5.3 and later behavior: No client certificate is sent until you have the opportunity to select the appropriate one to use for that site. You will be prompted by Safari 3 to select a client certificate at the point where the server requests client authentication. After selecting a client certificate, the decision is remembered in your keychain as an "identity preference item", and you will not be prompted again when returning to the same site.
Note: Safari may not prompt you to select a client certificate if a server is configured to optionally accept (rather than require) client authentication. In this case you can force a particular client certificate to be sent by creating an identity preference item for that server.
To manually specify a client certificate be used for a particular website: - Open Keychain Access (in Applications/Utilities) and find your client certificate. Click the "My Certificates" category to easily see available client certificates.
- Control-click the certificate, then choose "New Identity Preference..." from the contextual menu.
- A sheet appears in the dialog. Type (or paste) the URL of the page that requires the certificate, exactly as it appears in Safari's location field (for example, "https://www.apache-ssl.org/cgi/cert-export").
Note: With Mac OS X 10.5.4 or later, you may specify a partial URL to match any page on a server (for example, "https://www.apache-ssl.org/"). - Choose the certificate from the pop-up menu, then click Add to create the identity preference. (You may need to click the "All Items" category to view the newly created item.)
To change your decision about which client certificate to use for a particular website: - Open Keychain Access (in Applications/Utilities) and find the identity preference item for the website in question. Tip: Click the "All Items" category and enter the website name in the search field in the upper right corner.
- Open the item and select a different certificate from the pop-up menu.
As an alternative to step 2, you can delete the identity preference item from the keychain. The next time you visit the site with Safari 3 you will be prompted to select your client certificate.
|