On Thu, 2014-12-04 at 11:30 -0500, m.roth@5-cent.us wrote:
Cal Webster wrote:
On Thu, 2014-12-04 at 08:08 -0500, mark wrote:
On 12/03/14 17:34, Cal Webster wrote:
Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites.
I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries.
Dunno 'bout the new CaC keys, but they "upgraded" our PIV cards to 128? 256? I forget, earlier this year, and I *think* I remember my manager
pushing
an enhancement on upstream, and since then we've had no trouble with coolkey accessing them. The two *should* be identical.
Was source for this upstream enhancement released to the community? Not
Yup. We have a few RHEL licenses, so he could push for the enhancement. It was released, and we were using it with CentOS 6.5.
It must have been in the coolkey-1.1.0-32 update.
Build Date: Wed 15 Oct 2014 11:11:10 AM EDT Install Date: Wed 29 Oct 2014 05:04:04 AM EDT
sure what you meant by "The two" - you mean coolkey and cackey?
Nope. We don't use cackey.
<snip> > I've tried installing and loading the latest "cackey" libraries (see
I know nothing about cackey libraries, but it's possible that, and pcscd are arguing.
I don't see pcscd installed.
pcsc-lite-1.5.2-14.el6.x86_64 (listed on original post) contains pcscd. Sure that's possible but I see nothing to support that in the system logs
Watch out that opensc that *doesn't* come with pcscd isn't loaded. Oh, also, new card - do you have a new CA chain? Is that installed?
<snip>
mark, who has a new card a few weeks ago, and had to deal with the CA change from Verizon to Entrust....
Yes, I learned to avoid opensc years ago when we first setup the CACs.
A missing CA cert turned out to be the problem. I checked after Jason Pyeron was kind enough to mention "MAIL CA-32" listed on my CAC cert lookup. Sure enough, it was missing in the Firefox CA store but present in the Thunderbird store. This explains why I could sign and encrypt email but not access .mil web sites. When I used the dod_configuration mozilla add-on to update the certs I assumed it would get them all. Apparently not. In fact, I think it deleted this cert because I recorded everything on my previous CAC before getting the new one. It was also using CA-32. I ended up just exporting the cert from Thunderbird and importing it into Firefox.
./Cal