This page is woefully out of date and needs to be updated. This will happen at some point but for the time being, use it as a reference to aid you in the process.
Preface
US Department of Defense (DoD) now limits access to many of its websites to be via a smart Common Access Card (CAC) authenticated with a Personal Identification Number (PIN). The following is a guide to assist in setting up Linux Mint to access CAC-enabled DoD websites.
Install the Middleware and PKCS #11 Module
The Linux CAC Reader stack is based on a set of middleware called PCSC (Personal Computer Smart Card), written by the MUSCLE (Movement for the Use of Smart Cards in a Linux Environment) project.
Enter this into Terminal and execute:
sudo eopkg install pcsc-lite perl-pcsc pcsc-tools ccid opensc
Start Up the Daemon
In Terminal:
sudo systemctl start pcscd
sudo systemctl enable pcscd
Testing your Smart Card Driver
Open a terminal (ie konsole, x-term or other) and type/enter. You might have to insert a smart card in order for the message to pop-up.
pcsc_scan
Similar to the following means the card reader is working properly:
PC/SC device scanner V 1.4.18 (c) 2001-2011, Ludovic Rousseau Compiled with PC/SC lite version: 1.8.8 Using reader plug’n play mechanism Scanning present readers… 0: O2 Micro Oz776 00 00 Sun Mar 24 11:40:07 2013 Reader 0: O2 Micro Oz776 00 00 Card state: Card removed
Similar to this indicates a need to check for additional driver requirements for your hardware:
PC/SC device scanner V 1.4.18 (c) 2001-2011, Ludovic Rousseau Compiled with PC/SC lite version: 1.8.8 Using reader plug’n play mechanism Scanning present readers… Waiting for the first reader…
Authority Certificates
Download extract and install the DoD Certificates.
The certificates can be obtained from this link:
https://militarycac.com/maccerts/AllCerts.zip
Make note of the location you stored these certificates
Configure Firefox
Firefox requires manual selection of the PKCS #11 module.
Import Certificates
The current method of installing the certificates is one-by-one. This can be done through Firefox import mechanism.
Preferences > Privacy & Security
Scroll Down to Security Section
Select View Certificates
Select the Import… button at the bottom of the dialog and install the following certificates.
- DOD CA-27 through DOD CA-32
- DOD EMAIL CA-27 through DOD EMAIL CA-34,
- DOD EMAIL CA-39 through DOD EMAIL
- CA-44,DOD ID CA-33 through DOD ID
- CA-34,DOD ID CA-39 through DOD ID CA-44,
- DOD ID SW CA-35 through DOD ID SW CA-38,DOD
- ID SW CA-45 through DOD ID SW CA-48
- DoD Root CA 2 through DoD Root CA 4
Set Firefox to Require Selection of Certificate
When accessing multiple CAC protected pages, some pages will require different certificates from the card. Some require the non-email certificate while Enterprise Email will require the email certificate.
Preferences > Privacy & Security
Scroll Down to Security Section
Below the Certificates heading, select the radio button in front of “Ask me every time.”
Set CAC Module
Open Preferences > Privacy & Security
Scroll Down to Security Section
Select Security Devices
Check the left column. It should show an entry similar to “CAC Module” along with certificate(s) as a sub-item. If it doesn’t work then the entries are wrong.
Select the entry and select Unload to remove the security device
To install/reinstall the CAC driver in Firefox using the above listed Security Devices
Select Load on the dialog box
Module name should be something like: DoD CAC
Module filename: either type in or browse to the location of the opensc-pkcs11.so drivers
Example:
/usr/lib64/opensc-pkcs11.so
Configure Chrome / Chromium
Unfortunately, Chrome (Chromium) doesn’t automatically recognize the CAC once you’ve completed all the previous steps but it doesn’t take much more work to get Chrome to work with the CAC.
In Terminal:
modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib64/opensc-pkcs11.so
Make sure that the utility is properly installed, in Terminal:
modutil -dbdir sql:.pki/nssdb/ -list
If it is properly installed there will be an entry with “CAC Module” and details of the library, slot and status. If you were not in your home directory when configuring modutil you will receive an error like:
"modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database."
Chrome should now be able to utilize the CAC without any issues
Removing CAC Module
If you have previously installed libcackey.so and you wish to utilize CoolKey instead, you will have to unload the “CAC Module”:
modutil -dbdir sql:.pki/nssdb/ -delete "CAC Module"
Test out your browser
Go to a CAC-enabled web site (www.us.army.mil) and test the CAC login.
Be patient as there may be a delay while authenticating with the CAC.
The PIN and certificate selection authentication process is in the reverse of what you may be used to when using non-Linux machines. Expect to be prompted first for PIN and then certificate selection.
Troubleshooting
At anytime if you don’t seem to get response from the Smart Card, check and see if the daemon is active by executing this in terminal:
pcsc_scan
If you remove and insert your card with no response during the scan, the daemon has crashed. If you find that the pcsc daemon has crashed you can run this in terminal to restart the daemon:
sudo systemctl restart pcscd