• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
[Fed-Talk] CACs and DoD certs on Macs
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fed-Talk] CACs and DoD certs on Macs

  • Subject: [Fed-Talk] CACs and DoD certs on Macs
  • From: "Oliver, John Jr Mr CTR OSD USA" <email@hidden>
  • Date: Fri, 09 Nov 2012 09:10:55 -0800
  • Thread-topic: CACs and DoD certs on Macs

I've got a user who's having some odd issues, and I'm told other users in our organization see similar issues, oddly, intermittently, inexplicably, etc.  My user has a MacBook Pro running 10.7.5 with an SCR331 reader and she had PKard 1.2  That was working for her, and then it wasn't.  She complained that she could no longer access CAC-enabled sites.  There was an error about her certs being rejected as being signed by "Unknown" (I don't have the verbatim error here, she isn't available right now).


My first thought was, she needs the DoD root and intermediate certs added to her keychain.  I'm used to HAVING to add them to Windows and Linux machines, but every time this comes up, the response is kind of a vague, "Oh, Macs don't need that, it'll 'just work' without them", and I just don't understand how that could be.  But, she was able to use her CAC previously without the DoD certs.


Anyway, I did get them added, but that didn't help.  I was able to log on to my profile and use my CAC just fine.  I had someone else help me (I'm new to OS X), and he wound up uninstalling PKard and installing OpenSC 0.12, and his CAC started working in her profile.  But she couldn't use hers, so I created her a new profile, and she could use her CAC again, for a few days.  Now she can't any more.  I was discussing this with someone else, who says, "Oh, this is a known issue, it happens all the time, we haven't been able to find a particular solution that works, etc."


I was just poking around in my keychain a little to see what I could see.  One thing I notice is, DOD CA-30, for example (which is the CA that signed the certs on my CAC) has a red warning, "This certificate has an invalid issuer".  The issuer is "DoD Root CA 2", and that certificate shows up with a green "This certificate is valid".  So I'm a little puzzled there.  My CAC works just fine on this machine (also 10.7.5, and I'm using PKard 1.2)


I'm sure my overarching question probably has several possibly mostly-unrelated parts to it.  I'm not a huge PKI expert, and I'm no Mac expert.    It seems very possible that there are facets of PKI in general, or as implemented by DoD, that I'm lacking, as well as details about how Apple implements PKI.  So, my ears are open to any suggestions, possibilities, etc.



--

 John Oliver | SAIC

 Defense & Maritime Solutions

 Surveillance and Reconnaissance Solutions Division

 SPAWAR Systems Center - Pacific | Code 53223

 Sr. Systems Administrator

 Bldg 600 | Room 428N

 Office: (619) 553-9567

 Mobile: (571) 481-0198

 email@hidden

 email@hidden

 DCO: email@hidden

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] CACs and DoD certs on Macs
      • From: Sean Baker <email@hidden>
    • Re: [Fed-Talk] CACs and DoD certs on Macs
      • From: Bill Thursby <email@hidden>
  • Prev by Date: Re: [Fed-Talk] Safe Boot Fail
  • Next by Date: Re: [Fed-Talk] CACs and DoD certs on Macs
  • Previous by thread: Re: [Fed-Talk] Safe Boot Fail
  • Next by thread: Re: [Fed-Talk] CACs and DoD certs on Macs
  • Index(es):
    • Date
    • Thread