Re: [Fed-Talk] export CAC certificate(s) on Big Sur?
Re: [Fed-Talk] export CAC certificate(s) on Big Sur?
- Subject: Re: [Fed-Talk] export CAC certificate(s) on Big Sur?
- From: Jeff Haferman via Fed-talk <email@hidden>
- Date: Thu, 28 Jan 2021 10:52:24 -0800
Wow, thanks everyone.
I went to Edge on a Windows machine prior to all the responses and exported
the required CAC certificate in DER format (which is what was requested).
It looks like I could either install one of the apps mentioned, or use
the "security
export-smartcard ..." step and then convert from PEM to DER.
And, interesting point regarding Catalina. I know for Mojave (10.14.x) and
earlier we were running CACkey middleware, though I have a new Mac since
those days. My colleague upgraded from 10.14 to 10.15, so perhaps CACkey is
somehow still in place there and allows him to see his CAC certificates in
keychain access. I'm not going to dwell on that.
I'm technical, so all of these solutions are fine for me. But, for
Enterprise use on the Mac, these solutions aren't super convenient for our
less technically inclined users.
On Thu, Jan 28, 2021 at 10:44 AM Blumenthal, Uri - 0553 - MITLL via
Fed-talk <email@hidden> wrote:
> Thanks, William.
>
>
>
> I found the “commercial” Smart Card Utility to do everything I need, with
> multiple tokens and multiple readers (e.g., CAC and Yubikey inserted at the
> same time).
>
>
>
> TokenShow.app is a true GUI app, and sems nice. Where it fails is when
> multiple tokens *or* even multiple readers are present. It would still
> export your cert(s) for you, but fails to “Change PIN” or display the
> remaining attempts, displaying “multiple tokens” text instead of a number.
>
>
>
> TNX
>
> --
>
> Regards,
>
> Uri
>
>
>
> *There are two ways to design a system. One is to make is so simple there
> are obviously no deficiencies.*
>
> *The other is to make it so complex there are no obvious deficiencies.*
>
> *
>
> -
> C. A. R. Hoare*
>
>
>
>
>
> *From: *William Cerniuk <email@hidden>
> *Date: *Thursday, January 28, 2021 at 13:39
> *To: *Fed Talk <email@hidden>
> *Cc: *Uri Blumenthal <email@hidden>
> *Subject: *Re: [Fed-Talk] export CAC certificate(s) on Big Sur?
>
>
>
> Leveraging Uri’s comment, I have found the app to be rather nice. I have
> not exercised it enough to determine if it is a GUI app or a real app; but
> in light duty, the ragged edges of a typical GUI app has not shown. (Is a
> good thing).
>
>
>
>
>
> --
>
> V/R,
>
> Wm. Cerniuk
>
>
>
> iPhone/FaceTime/iMessage/SMS Text: 703.505.0201
>
>
>
>
>
>
>
> On 28-Jan-2021, at 13:23, Blumenthal, Uri - 0553 - MITLL via Fed-talk <
> email@hidden> wrote:
>
>
>
> If you want GUI – search through the Apple App Store and get the app
> “Smart Card Utility”. It does what you need. You can test-drive it for
> almost a year, then the purchase cost is $9.99. I just bought it after my
> trial expired, because I liked it.
>
>
>
> Otherwise – do what Daniel suggested
>
>
>
> To export your certs, you can open Terminal.app and run the following:
>
>
>
> security export-smartcard -e ~/Desktop/
>
>
>
> This will save a .pem file for each certificate and public key to your
> Desktop. They will be named something like:
>
> Certificate for PIV Authentication (LASTNAME.FIRSTNAME.EDIPI).pem
>
> Certificate for Digital Signature (LASTNAME.FIRSTNAME.EDIPI).pem
>
> Certificate for Key Management (LASTNAME.FIRSTNAME.EDIPI).pem
>
> Public Key - Certificate for PIV Authentication
> (LASTNAME.FIRSTNAME.EDIPI).pem
>
> Public Key - Certificate for Digital Signature
> (LASTNAME.FIRSTNAME.EDIPI).pem
>
> Public Key - Certificate for Key Management (LASTNAME.FIRSTNAME.EDIPI).pem
>
>
>
>
>
> Or what Ken suggested
>
>
>
> If you really need to upload the whole certificate, well, you can find it
>
> under About This Mac -> System Reporter -> Software -> SmartCards.
>
> All of the certificates are displayed in PEM format and you can
>
> cut & paste them from there. I believe you can also use the "security"
>
> command to dump those certificates.
>
>
>
> If you have OpenSC installed, uou can from the Terminal window
>
>
>
> pkcs15-tool --read-certificate 01
>
>
>
> for PIV Auth certificate (cut-n-paste the output, or redirect to a file).
>
> --
>
> Regards,
>
> Uri
>
>
>
> *There are two ways to design a system. One is to make is so simple there
> are obviously no deficiencies.*
>
> *The other is to make it so complex there are no obvious deficiencies.*
>
> *
>
> -
> C. A. R. Hoare*
>
>
>
>
>
> *From: *Jeff Haferman via Fed-talk <email@hidden>
> *Reply-To: *Jeff Haferman <email@hidden>
> *Date: *Thursday, January 28, 2021 at 12:45
> *To: *"email@hidden" <email@hidden>
> *Subject: *[Fed-Talk] export CAC certificate(s) on Big Sur?
>
>
>
>
> I need to register my CAC in order to access a DoD site
> (in this case https://piee.eb.mil/piee-landing/)
>
> Of course the instructions I received assumed an underlying Windows OS
> (use Active Client, Internet Explorer, or Edge).
>
> There is one section that says I can do it on a Chrome Browser, but Chrome
> ends up opening Keychain Access. When a colleague (on Catalina) does this,
> he can see his CAC in Keychain and export his certificates.
>
> On Big Sur, I don't see my CAC certificates. I'm assuming the cause is Big
> Sur, but I could be wrong.
>
> Should I be able to see my CAC certificates in Keychain Access on Big Sur?
> Or do I need to find a Windows machine?
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden