DoD Common Access Card and other smartcards on Unix
- Install the DoD root certificates:
- Download the DoD root certificates. Visit the DoD PKI/PKE Document Library, and download the target of the link “PKI CA Certificate Bundles: PKCS#7 For DoD PKI Only - Version 5.6”.
- Unzip the downloaded package, and enter the unzipped directory.
- Copy the certificates to the system directory:
cp DoD_PKE_CA_chain.pem /etc/pki/ca-trust/source/anchors/.
- Update the CA trust store:
- Install the necessary packages:
yum install opensc pcsc-lite-ccid pcsc-lite pcsc-tools
- Start the PC/SC daemon:
systemctl start pcscd
- Configure the system to start the PC/SC daemon each time it boots:
systemctl enable pcscd.service
DoD Common Access Card
This document describes how to integrate the US Department of Defense Common Access Card with UNIX. Here we assume that you have a CAC which already contains the appropriate certificates and private keys.
- Insert your CAC into the smart-card reader
- Introduce the PC/SC interface to Firefox:
Privacy & Security
- Name the module something like
CAC Supportand select
- Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and run the following command to add the certificate to your local certificate database:
certutil -A -n DODCA_29 -t pCcT,pCcT,pCcT -i DODCA_29.cer -d /etc/pki/nssdb
pkcs11_inspect debug, and look for
Printing data for ...
/etc/pam_pkcs11/subject_mappingto contain something like
CN=LAST.FIRST.MIDDLE.ID,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US -> username, replacing LAST.FIRST.MIDDLE.ID with the output from
pkcs11_inspectand username with the corresponding UNIX username
First, complete the following steps:
- Install the necessary packages:
yum install dirmngr gnupg2-smime gnupg-pkcs11-scd
- Add the following to
providers p1 provider-p1-library /usr/lib64/pkcs11/libcoolkeypk11.so emulate-openpgpg openpgp-sign hash openpgp-encr hash openpgp-auth hash
Replace hash with the output from
echo "SCD LEARN" | gpg-agent --server gpg-connect-agent (You will probably want the hashes from the second record)
- Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and your own certificate from https://dod411.gds.disa.mil/
A PIVKey C910 arrives without certificates or private keys. Unfortunately, the management of these materials requires Windows. The necessary utilities exist in the archive available at http://pivkey.com/pkadmin.zip. You can use the vSEC:CMS tool contained therein to perform the following tasks:
- Set the PIN of the smartcard (the default is 000000)
- Set the administrative key of the smartcard (the default is 000000000000000000000000)
- Load a PKCS#12 certificate/key onto the smartcard
The PIVKey C910 supports a number of key slots which are defined by various standards:
|9A||Authentication (e.g., system logins)|
|9D||Key management (encryption)|
|9E||Card authentication; does not require PIN (e.g., door locks)|
You can use the following invocations of PivKeyTool.exe to associate certificates/keys with these slots:
- PivKeyTool.exe --listmd
- List the certificates/keys present on the smartcard.
- PivKeyTool.exe --listpiv
- List the mappings between certificate IDs and key slots.
- PivKeyTool.exe --userpin PIN --mappiv9n certid, where n is a, c, d, or e
- Establish a mapping between a certificate ID and key slot.
Smart-card-related GnuPG commands
Once you have installed and configured GnuPG, you might find the following commands helpful:
- gpg2 --card-status
- Test the interoperability between GnuPG and the CAC
- gpgsm --import DODCA_29.cer DODEMAILCA_29.cer
- Import the DoD certificates downloaded from https://crl.chamb.disa.mil/
- gpgsm --import name.cer
- Import the personal certificate downloaded from https://dod411.gds.disa.mil/
- gpgsm --learn-card
- Learn about the CAC
- gpgsm --list-secret-keys
- Describe the secret keys available on the CAC
- gpgsm --verbose --disable-crl-checks --armour --sign path
- Perform a test signature
- gpgsm --verbose --disable-crl-checks --armour --verify path
- Perform a test verification