Re: [Fed-Talk] CACs and DoD certs on Macs
Re: [Fed-Talk] CACs and DoD certs on Macs
- Subject: Re: [Fed-Talk] CACs and DoD certs on Macs
- From: "Villano, Paul Mr CIV USA TRADOC" <email@hidden>
- Date: Tue, 13 Nov 2012 13:05:04 -0500
This happened to me as well. I discovered that there was a disclaimer page
that my SCR reader (same series) shouldn't have worked in the first place
with software updates. I had chalked it up to having dropped the reader but
whether that was an issue or not it wouldn't have worked anyway I don't
believe. It was a moot point for me because I discovered the Thursby reader
for Ipads and Iphones which I much preferred anyway and which works like a
charm (literally since it hangs off the device). :)
-----Original Message-----
From: fed-talk-bounces+paul.villano=email@hidden
[mailto:fed-talk-bounces+paul.villano=email@hidden] On Behalf
Of Oliver, John Jr Mr CTR OSD USA
Sent: Friday, November 09, 2012 12:11 PM
To: email@hidden
Subject: [Fed-Talk] CACs and DoD certs on Macs
I've got a user who's having some odd issues, and I'm told other users in
our organization see similar issues, oddly, intermittently, inexplicably,
etc. My user has a MacBook Pro running 10.7.5 with an SCR331 reader and she
had PKard 1.2 That was working for her, and then it wasn't. She complained
that she could no longer access CAC-enabled sites. There was an error about
her certs being rejected as being signed by "Unknown" (I don't have the
verbatim error here, she isn't available right now).
My first thought was, she needs the DoD root and intermediate certs added to
her keychain. I'm used to HAVING to add them to Windows and Linux machines,
but every time this comes up, the response is kind of a vague, "Oh, Macs
don't need that, it'll 'just work' without them", and I just don't
understand how that could be. But, she was able to use her CAC previously
without the DoD certs.
Anyway, I did get them added, but that didn't help. I was able to log on to
my profile and use my CAC just fine. I had someone else help me (I'm new to
OS X), and he wound up uninstalling PKard and installing OpenSC 0.12, and
his CAC started working in her profile. But she couldn't use hers, so I
created her a new profile, and she could use her CAC again, for a few days.
Now she can't any more. I was discussing this with someone else, who says,
"Oh, this is a known issue, it happens all the time, we haven't been able to
find a particular solution that works, etc."
I was just poking around in my keychain a little to see what I could see.
One thing I notice is, DOD CA-30, for example (which is the CA that signed
the certs on my CAC) has a red warning, "This certificate has an invalid
issuer". The issuer is "DoD Root CA 2", and that certificate shows up with
a green "This certificate is valid". So I'm a little puzzled there. My CAC
works just fine on this machine (also 10.7.5, and I'm using PKard 1.2)
I'm sure my overarching question probably has several possibly
mostly-unrelated parts to it. I'm not a huge PKI expert, and I'm no Mac
expert. It seems very possible that there are facets of PKI in general,
or as implemented by DoD, that I'm lacking, as well as details about how
Apple implements PKI. So, my ears are open to any suggestions,
possibilities, etc.
--
John Oliver | SAIC
Defense & Maritime Solutions
Surveillance and Reconnaissance Solutions Division
SPAWAR Systems Center - Pacific | Code 53223
Sr. Systems Administrator
Bldg 600 | Room 428N
Office: (619) 553-9567
Mobile: (571) 481-0198
email@hidden
email@hidden
DCO: email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden