Sunday, January 24, 2010

How-To: DOD CAC Card on Ubuntu 9.10 (Webmail, AKO, DKO)

Whenever I'm faced with a problem I first turn to google. I used to go to a particular forum and just search that but now the forum searches are used if google doesn't find the answer first. Well the other day I needed a way to use my CAC card at home. And I preferred to use it inside Ubuntu.

This is the article I used to configure my CAC: http://www.hrgeeks.com/2008/11/21/using-a-dod-cac-with-ubuntu-and-firefox/

Below I'm pasting the actual commands from the article above: (slightly modified as I noted some changes)
  • apt-get install libccid pcscd coolkey
  • In firefox  Edit-Preferences-Advanced-Encryption-Security Devices-Load
  • Use DoD CAC for the module name and /usr/lib/pkcs11/libcoolkeypk11.so for the file.
  • Click OK on the next few popups. 
  • Back on the Security Devices page, insert your CAC, and make sure Login lights up. 
  • You may want to make sure you have the security device under DoD CAC selected.
If you can't get the login button to activate, you may need to update the CAC reader or get a new CAC reader. I chose to just buy a new keyboard with a CAC reader from Dell.

Go to http://dodpki.c3pki.chamb.disa.mil/rootca.html and select each of the certificate links starting at the top. Firefox will prompt you, just accept the prompts. If you believe the DOD page has been hacked you can validate the certificates before accepting them, but that's up to you.

Finally go to the site you want to access (webmail, AKO, DKO, etc). For me I needed webmail. When I visited the site it asked me which certificate to use. I first selected the certificate that indicated it was for authentication. This didn't work and the site refused to work again. I undid this mistake by doing the following:
  • In firefox  Edit-Preferences-Advanced-Encryption-View Certificates-Servers
  • Find the website in the list and delete it.
Now go back to the DoD site and choose the correct certificate. For webmail access it ended up being the email signing certificate.

Here is the official Ubuntu help page. It may have more guidance if you get stuck. I didn't find this page until now so I wasn't able to use it.
https://help.ubuntu.com/community/CommonAccessCard

To Do Another Day:
  • My browser asks for my pin and for me to choose the certificate on every visit. Not bad, but I would like it to remember the certificate.
  • Enable email signing via webmail.

No comments:

Post a Comment