• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] CACs and DoD certs on Macs
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] CACs and DoD certs on Macs

  • Subject: Re: [Fed-Talk] CACs and DoD certs on Macs
  • From: John Oliver <email@hidden>
  • Date: Tue, 13 Nov 2012 10:24:34 -0800
  • Thread-topic: [Fed-Talk] CACs and DoD certs on Macs
I think what you're describing is the "certificate cancer" issue which seems to be linked to propagation of bad certs via Outlook.  Now that I have some more details about that, I'm going to see if removing all of the Microsoft Intermediate certificates from her chain will help.

I'm also seeing oddities with the cert for CA-21  On my iMac, CA-21s cert is serial number 46 and shows up as revoked, even though it isn't.  On my Windows machine, it's serial number 4c and works OK.  On a coworker's iMac, he has serial number 76, but does NOT have SystemCACertificates loaded in his keychain, yet has no problem validating certificates.

So I'm confused :-)

From: Sean Baker <email@hidden>
Date: Tuesday, November 13, 2012 1:58 AM
To: John Oliver <email@hidden>
Cc: <email@hidden>
Subject: Re: [Fed-Talk] CACs and DoD certs on Macs

Is the non-root DoD Root CA 2 explicitly trusted in her keychain?

This is the most common cause for the problem which we run into here - sites not chaining their certificates the right way and OSX inexplicably trying to chain back to the Common Policy CA (which it can't do) vs. the 'true' DOD Root CA.




On 11/9/12 12:10 PM, Oliver, John Jr Mr CTR OSD USA wrote:

I've got a user who's having some odd issues, and I'm told other users in our organization see similar issues, oddly, intermittently, inexplicably, etc.  My user has a MacBook Pro running 10.7.5 with an SCR331 reader and she had PKard 1.2  That was working for her, and then it wasn't.  She complained that she could no longer access CAC-enabled sites.  There was an error about her certs being rejected as being signed by "Unknown" (I don't have the verbatim error here, she isn't available right now).


My first thought was, she needs the DoD root and intermediate certs added to her keychain.  I'm used to HAVING to add them to Windows and Linux machines, but every time this comes up, the response is kind of a vague, "Oh, Macs don't need that, it'll 'just work' without them", and I just don't understand how that could be.  But, she was able to use her CAC previously without the DoD certs.


Anyway, I did get them added, but that didn't help.  I was able to log on to my profile and use my CAC just fine.  I had someone else help me (I'm new to OS X), and he wound up uninstalling PKard and installing OpenSC 0.12, and his CAC started working in her profile.  But she couldn't use hers, so I created her a new profile, and she could use her CAC again, for a few days.  Now she can't any more.  I was discussing this with someone else, who says, "Oh, this is a known issue, it happens all the time, we haven't been able to find a particular solution that works, etc."


I was just poking around in my keychain a little to see what I could see.  One thing I notice is, DOD CA-30, for example (which is the CA that signed the certs on my CAC) has a red warning, "This certificate has an invalid issuer".  The issuer is "DoD Root CA 2", and that certificate shows up with a green "This certificate is valid".  So I'm a little puzzled there.  My CAC works just fine on this machine (also 10.7.5, and I'm using PKard 1.2)


I'm sure my overarching question probably has several possibly mostly-unrelated parts to it.  I'm not a huge PKI expert, and I'm no Mac expert.    It seems very possible that there are facets of PKI in general, or as implemented by DoD, that I'm lacking, as well as details about how Apple implements PKI.  So, my ears are open to any suggestions, possibilities, etc.



--

 John Oliver | SAIC

 Defense & Maritime Solutions

 Surveillance and Reconnaissance Solutions Division

 SPAWAR Systems Center - Pacific | Code 53223

 Sr. Systems Administrator

 Bldg 600 | Room 428N

 Office: (619) 553-9567

 Mobile: (571) 481-0198

 email@hidden

 email@hidden

 DCO: email@hidden



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

--
Ne Desit Virtus,

Sean R. Baker
1LT, MS
United States Army
Office #: (301) 319-0712
Email: email@hidden
_______________________________________________ Do not post admin requests to the list. They will be ignored. Fed-talk mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden 
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: [Fed-Talk] CACs and DoD certs on Macs
  • Next by Date: [Fed-Talk] Fwd: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
  • Previous by thread: Re: [Fed-Talk] CACs and DoD certs on Macs
  • Next by thread: Re: [Fed-Talk] CACs and DoD certs on Macs
  • Index(es):
    • Date
    • Thread