Search MilitaryCAC:

Site Map

MilitaryCAC.com logo

.com | .us | .ml  | .mobi | .net | .org


The Definitive Source for Everything CAC

Common Access Card help for your

Personal Linux Computer

Also available at:

https://MilitaryCAC.com

Please ShareThis website with your friends and colleagues

Make a Donation button image

 

 

 

LINUX SUPPORT PAGE

Linux logo

 

Linux support provided by Nathan Wolf

 

US Department of Defense (DoD) now limits access to many of its websites to be via a Common Access Card (CAC) authenticated with a Personal Identification Number (PIN).  The following is a guide to assist in setting up your Linux computer to access CAC-enabled DoD websites.

Install the middleware

The Linux CAC Reader stack is based on a set of middleware called PCSC (Personal Computer Smart Card), written by the MUSCLE (Movement for the Use of Smart Cards in a Linux Environment) project.

 

Software packages

In order to use the DoD CAC you must install the following packages:

  pcsc-lite - PCSC Smart Cards Library

  pcsc-ccid - generic USB CCID (Chip/Smart Card Interface Devices) driver

  perl-pcsc - Abstraction layer to smart card readers

  pcsc-tools - Optional but highly recommended, these tools are used to test a PCSC driver, card and reader

Note:  Be sure to select the package that corresponds with your distribution version

The naming of this package / library name varies from one distribution to another depending on the package maintainer.  For example if you want to find the pcsc-lite package, enter into the search engine of your choice:

  pcsc lite yourdisribution

Replace yourdisribution with openSUSE, Fedora or Ubuntu; whatever you are running

 

PKCS #11 module

There are three working modules to access the PKCS #11 keys on your CAC.  Each have their strengths and limitations.  You will need to choose which version works best for you.  In most situations, CoolKey is preferred.

 

CoolKey

CoolKey is available through the openSUSE and I'm sure all major distribution software repositories.  This is arguable the most stable method for accessing your CAC.  The downside is, Dual Persona individuals that have activated PIV certificate will not be able to access it rendering you not able to access your DoD Enterprise Email.  If you are not Dual Persona, this is by far the best module to use as it is stable, accesses certificates quickly, and does not cause the pcsc daemon to hang.

Search CoolKey with your distribution software page

 

CACkey

CACkey is available from DISA on the Forge.mil Linux development site.  This works, but is very slow to access the CAC certificates.  The system will hang long enough that the sites may time out.  It does work and sometimes requires an untimely page refresh.  A machine with working CAC authentication is required for the DISA download.  Once obtained, the RPM will install without issue.

https://software.forge.mil/sf/frs/do/viewSummary/projects.community_cac/frs

Forge.mil hosts the CACkey package, but it requires CAC authentication to download the packages.  Easiest may be to download all on a CAC enabled computer and then transfer to the Linux computer via thumb drive.  Download the following from the forge.mil site:

- the latest version of CACkey

- the DoD configuration extension for Firefox has been deprecated and has been replaced with these instructions from DISA https://iase.disa.mil/pki-pke/getting_started/Pages/linux.aspx

Recommend these be stored on AKO Files, Dropbox, portable media, or other location to ensure continued access.

This seems to be the most reliable option if you are a dual persona  The CACkey was recently updated which addressed performance issues.

 

CACkey alternate download

This location is not CAC protected and has the source available for download as well

http://cackey.rkeene.org/fossil/wiki?name=Downloads

 

OpenSC

OpenSD provides a set of utilities to access smart cards.  It facilitates their use in security applications such as email encryption, authentication, and digital signatures.  This module has a broader feature than CoolKey or CACkey and you are able to access your PIV certificate (for those individuals that are Dual Persona).  This module is speedy like CoolKey and doesn't lag like CACkey.  The downside is, this module does cause the pcsc daemon to require restarts from time to time. This may be the best option if you are dual persona and do not wish to use CACkey from DISA.

Search OpenSC within your distribution page

If you find the pcsc daemon has crashed you can run this in terminal to restart the daemon:

sudo systemctl restart pcscd

To check and see if the daemon has indeed crashed execute this in terminal:

pcsc_scan

If you remove and insert your card with no response during the scan, the daemon has crashed.

===================================================================

Smart Card Reader Driver

Without installing any additional drivers the following card readers are tested and work without issue:

SCR3310 by SCM Microsystems (Currently being issued to members by the US Army for use on personal computers)

SCR3500 by SCM Microsystems (Many members purchase this as a more compact alternative to the SCR3310)

O2 Micro, Inc (built into many Dell laptops)

Note: You may have to install additional drivers for your hardware.  Check your hardware and search using the key word pcsc.

 

Testing your Smart Card Driver

Open a terminal (i.e. konsole, x-term, or other) and type / enter

pcsc_scan

Similar to the following means the card reader is working properly.

PC/SC device scanner

V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>

Compiled with PC/SC lite version 1.8.8

using reader plug'n play mechanism

Scanning present readers...

0: O2 Micro Oz776 00 00

Sun Mar 24 11:40:07 2013

Reader 0: O2 Micro Oz776 00 00

 Card state: Card removed,

 

Similar to this:

PC/SC device scanner

V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>

Compiled with PC/SC lite version: 1.8.8

Using reader plug'n play mechanism

Scanning present readers...

Waiting for the first reader...

 

indicates a need to check for additional driver requirements for your hardware  Then check again to see if the PCSC Daemon (pcscd) is running.

 

Authority Certificates

Download extract and install the DoD certificates.

The certificates can be obtained from this link:

http://militarycac.com/maccerts/AllCerts.zip,

Make note of the location you stored these certificates

 

Configure Firefox

Firefox requires manual selection of the PKCS #11 module

The aforementioned DoD configuration extension has been deprecated and will not longer install into Firefox

 

Import Certificates

The current method of installing the certificates is one-by-one.  This can be done through Firefox import mechanism.

Firefox 56 and earlier

- Preferences > Advanced > Encryption > View Certificates

Firefox 75 and later

- Preferences > Privacy & Security

     - Scroll down to Security Section

     - Select View Certificates

Continue for all versions of Firefox

 - Select the Import... (button) at the bottom of the dialog 

 

The certificates that require installation are the following:

DOD CA-31 through DOD CA-32,

DOD EMAIL CA-31 through DOD EMAIL CA-34,

DOD EMAIL CA-39 through DOD EMAIL CA-44,

DOD EMAIL CA-49 through DOD EMAIL CA-52,

DOD ID CA-33 through DOD ID CA-34,

DOD ID CA-39 through DOD ID CA-44,

DOD ID CA-49 through DOD ID CA-52,

DOD ID SW CA-35 through DOD ID SW CA-38,

DOD ID SW CA-45 through DOD ID SW CA-48,

DOD SW CA-53 through DOD SW CA-58, and

DoD Root CA 2 through DoD Root CA 5

 

Set Firefox to Require Selection of Certificate

When accessing multiple CAC protected pages, some pages will require different certificates from the card. Some require the non-Email certificate while Enterprise Email will require the email certificate (or PIV for dual persona personnel). 

 

Firefox 56 and earlier

 - Preferences > Advanced > Encryption

   - Select the radio button in front of "Ask me me every time."

 

Firefox 57 and later

 - Preferences > Privacy & Security  

   - Scroll down to Security Section

   - Below the Certificates heading, select the radio button in front of "Ask me every time."

 

Continue for All versions of Firefox

 - Check the left column.  It should show an entry similar to "CAC Module" along with certificate(s) as a sub-item.  If it doesn't work then the entries are wrong.

    - Select the entry and select Unload to remove the security device 

 - To install / reinstall the CAC driver in Firefox using the above listed Security Devices

    - Select Load on the dialog box 

    - Module name should be something like:  DoD CAC

    - Module filename: either type in or browse to the location of the libcoolkeypk11.so, libcackey.so, or opensc-pkcs11.so drivers

    - The files will be located under either:

/usr/lib/

or

/usr/lib64/

 

Configure Chrome / Chromium

Unfortunately, Chrome (Chromium) doesn't automatically recognize the CAC once you've completed all the previous steps but it doesn't take much more work to get Chrome to work with the CAC.

In order to utilize the CAC with Chrome, it is necessary to install mozilla-nss-tools.

While in terminal in your home directory, run one of the two following commands as your user.

For 32-bit systems:

modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/libcoolkeypk11.so

For 64-bit systems:

 modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib64/libcoolkeypk11.so

(Note: Ubuntu 16.04 and later adjust the location of the file to your specific deviation)

Make sure that the utility is properly installed

modutil -dbdir sql:.pki/nssdb/ -list

If it is properly installed, there will be an entry with "CAC Module" and details of the library, slot and status.  If you were not in your home directory when configuring modutil you will receive an error like "modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database."

Chrome should now be able to utilize the CAC without any issues

 

Removing CAC Module

If you have previously installed libcackey.so and you wish to utilize CoolKey instead, you wil have to unload the "CAC Module."

modutil -dbdir sql:.pki/nssdb/ -delete "CAC Module"

 

Test your browser

Go to a CAC-enabled website (https://www.us.army.mil) and test CAC login.

Be patient, as there may be a delay while authenticating with the CAC

The PIN and certificate selection authentication process is in reverse order of what you be used to when using non-Linux computers  Expect to be prompted first for your PIN, then the certificate.

 

Additional Notes

The Defense Travel System (DTS) http://www.defensetravel.osd.mil no longer requires Java installed to function correctly.

If you have trouble with IcedTea (https://software.opensuse.org/package/icedtea-web) .  See your distribution notes on the instructions to install Java properly on your system.

See the openSUSE example here as a reference:  SDB:Installing Java (https://en.opensuse.org/sdb:installing_java)

If you have previously used the CACkey module for accessing DTS and now use Coolkey, you will have to edit the configuration file:

$HOME/.DBsign/UWC/DBsign.cfg

Alter the line that contains the following information (/usr/lib64/ for 64 bit and /usr/lib/ for 32bit):

<para name="pkcs11_library">/usr/lib64/libcackey.so</param>

It should reflect the CoolKey module:

<para name="pkcs11_library">/user/lib64/lib64/libcoolkeypk11.so</param> 

 

      External Links

Forge.mil

https://software.forge.mil/sf/frs/do/viewSummary/projects.community_cac/frscackey

Site contains CACkey in order to allow Firefox to access teh CAC through the reader  (Please remember this link needs to be accessed from an already CAC enabled computer)

openSUSE

openSUSE Wiki DoD CAC Installation Guide

openSUSE Support Database Installing SDB:Installing Java

Fedora

https://fedoramagazine.org/use-dod-smartcards-access-cac-enabled-websites

https://cubiclenate.com/linux/applications/utilities/dod-cac-fedora/

Linux Mint

"Olivia" installation guide  (provided by Tim Friend)
"Petra" installation guide (provided by Wayne Moore)
https://cubiclenate.com/linux/applications/utilities/dod-cac-ubuntu-linuxmint
Linux Miint logo 

Ubuntu

https://help.ubuntu.com/community/CommonAccessCard

http://insomniathynameis.blogspot.com/2018/03/linux-smart-cards-rare-technical.html (provided by Gabriel Rigall)

https://cubiclenate.com/linux/applications/utilities/dod-cac-ubuntu-linuxmint

Ubuntu log

 

Debian

https://wiki.debian.org/Smartcards



Solis
https://cubiclenate.com/linux/applications/utilities/dod-cac-reader-solus 
Solis Circle 

  

Using Linux with your CAC links on Google

 

Linux support provided by: Nathan Wolf

 

If you have questions or suggestions for this site, contact Michael J. Danberry

Are you interested in subscribing to the CACNews email list?

Disclaimer

 

ACRONYM Reference Page

 

GoDaddy Site Certified seal

 

Last Update or Review:  Friday, 20 April 2018 09:18 hrs

 

The following domain names all resolve to the same website:  ChiefsCACSite.com, CommonAccessCard.us, CommonAccessCard.info, & ChiefGeek.us