On Thu, 2014-12-04 at 11:30 -0500, m.roth at 5-cent.us wrote: > Cal Webster wrote: > > On Thu, 2014-12-04 at 08:08 -0500, mark wrote: > >> On 12/03/14 17:34, Cal Webster wrote: > >> > Can anyone help with getting the new DoD CACs (Smart Card) to work in > >> > CentOS 6.6? I don't use it for console logins, only for email and .mil > >> > web sites. > >> > > >> > I recently had to get a new DoD CAC (Smart Card) when one of the > >> > buildings I work in upgraded their security system. My old CAC was > >> > working fine prior to this for signing and encrypting email and for > >> > authenticating to various DoD (.mil) sites from the Internet using the > >> > coolkey libraries. > >> > >> Dunno 'bout the new CaC keys, but they "upgraded" our PIV cards to 128? > >> 256? I forget, earlier this year, and I *think* I remember my manager > pushing > >> an enhancement on upstream, and since then we've had no trouble with > >> coolkey accessing them. The two *should* be identical. > > > > Was source for this upstream enhancement released to the community? Not > > Yup. We have a few RHEL licenses, so he could push for the enhancement. It > was released, and we were using it with CentOS 6.5. It must have been in the coolkey-1.1.0-32 update. Build Date: Wed 15 Oct 2014 11:11:10 AM EDT Install Date: Wed 29 Oct 2014 05:04:04 AM EDT > > sure what you meant by "The two" - you mean coolkey and cackey? > > Nope. We don't use cackey. > > > >> <snip> > >> > I've tried installing and loading the latest "cackey" libraries (see > >> > >> I know nothing about cackey libraries, but it's possible that, and pcscd > >> are arguing. > >> > >> I don't see pcscd installed. > > > > pcsc-lite-1.5.2-14.el6.x86_64 (listed on original post) contains pcscd. > > Sure that's possible but I see nothing to support that in the system > > logs > > Watch out that opensc that *doesn't* come with pcscd isn't loaded. Oh, > also, new card - do you have a new CA chain? Is that installed? > <snip> > > mark, who has a new card a few weeks ago, and had to deal with the > CA change from Verizon to Entrust.... Yes, I learned to avoid opensc years ago when we first setup the CACs. A missing CA cert turned out to be the problem. I checked after Jason Pyeron was kind enough to mention "MAIL CA-32" listed on my CAC cert lookup. Sure enough, it was missing in the Firefox CA store but present in the Thunderbird store. This explains why I could sign and encrypt email but not access .mil web sites. When I used the dod_configuration mozilla add-on to update the certs I assumed it would get them all. Apparently not. In fact, I think it deleted this cert because I recorded everything on my previous CAC before getting the new one. It was also using CA-32. I ended up just exporting the cert from Thunderbird and importing it into Firefox. ./Cal