DoD Common Access Card and other smartcards on Unix

Mar 12, 2020

Fedora

Prerequisites

  1. Install the DoD root certificates:
  • Download the DoD root certificates. Visit the DoD PKI/PKE Document Library, and download the target of the link “PKI CA Certificate Bundles: PKCS#7 For DoD PKI Only - Version 5.6”.
  • Unzip the downloaded package, and enter the unzipped directory.
  • Copy the certificates to the system directory: cp DoD_PKE_CA_chain.pem /etc/pki/ca-trust/source/anchors/.
  • Update the CA trust store: update-ca-trust.
  1. Install the necessary packages: yum install opensc pcsc-lite-ccid pcsc-lite pcsc-tools
  2. Start the PC/SC daemon: systemctl start pcscd
  3. Configure the system to start the PC/SC daemon each time it boots: systemctl enable pcscd.service

DoD Common Access Card

This document describes how to integrate the US Department of Defense Common Access Card with UNIX. Here we assume that you have a CAC which already contains the appropriate certificates and private keys.

Firefox

  1. Insert your CAC into the smart-card reader
  2. Introduce the PC/SC interface to Firefox:
  • Select PreferencesPrivacy & Security
  • Select Security Devices
  • Select Load
  • Name the module something like CAC Support and select /usr/lib64/pkcs11/opensc-pkcs11.so

PAM

  1. Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and run the following command to add the certificate to your local certificate database: certutil -A -n DODCA_29 -t pCcT,pCcT,pCcT -i DODCA_29.cer -d /etc/pki/nssdb
  2. Review /etc/pam.d/smartcard-auth
  3. Edit /etc/pam_pkcs11/pam_pkcs11.conf and set user_mappers to subject
  4. Run pkcs11_inspect debug, and look for Printing data for ...
  5. Edit /etc/pam_pkcs11/subject_mapping to contain something like CN=LAST.FIRST.MIDDLE.ID,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US -> username, replacing LAST.FIRST.MIDDLE.ID with the output from pkcs11_inspect and username with the corresponding UNIX username

GnuPG

First, complete the following steps:

  1. Install the necessary packages: yum install dirmngr gnupg2-smime gnupg-pkcs11-scd
  2. Add scdaemon-program /usr/bin/gnupg-pkcs11-scd to ~/.gnupg/gpg-agent.conf
  3. Add the following to ~/.gnupg/gnupg-pkcs11-scd.conf:
providers p1
provider-p1-library /usr/lib64/pkcs11/libcoolkeypk11.so
emulate-openpgpg
openpgp-sign hash
openpgp-encr hash
openpgp-auth hash

Replace hash with the output from echo "SCD LEARN" | gpg-agent --server gpg-connect-agent (You will probably want the hashes from the second record)

  1. Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and your own certificate from https://dod411.gds.disa.mil/

PIVKey C910

A PIVKey C910 arrives without certificates or private keys. Unfortunately, the management of these materials requires Windows. The necessary utilities exist in the archive available at http://pivkey.com/pkadmin.zip. You can use the vSEC:CMS tool contained therein to perform the following tasks:

  • Set the PIN of the smartcard (the default is 000000)
  • Set the administrative key of the smartcard (the default is 000000000000000000000000)
  • Load a PKCS#12 certificate/key onto the smartcard

The PIVKey C910 supports a number of key slots which are defined by various standards:

Slot identifier Description
9A Authentication (e.g., system logins)
9C Digital signatures
9D Key management (encryption)
9E Card authentication; does not require PIN (e.g., door locks)

You can use the following invocations of PivKeyTool.exe to associate certificates/keys with these slots:

PivKeyTool.exe --listmd
List the certificates/keys present on the smartcard.
PivKeyTool.exe --listpiv
List the mappings between certificate IDs and key slots.
PivKeyTool.exe --userpin PIN --mappiv9n certid, where n is a, c, d, or e
Establish a mapping between a certificate ID and key slot.

Once you have installed and configured GnuPG, you might find the following commands helpful:

gpg2 --card-status
Test the interoperability between GnuPG and the CAC
gpgsm --import DODCA_29.cer DODEMAILCA_29.cer
Import the DoD certificates downloaded from https://crl.chamb.disa.mil/
gpgsm --import name.cer
Import the personal certificate downloaded from https://dod411.gds.disa.mil/
gpgsm --learn-card
Learn about the CAC
gpgsm --list-secret-keys
Describe the secret keys available on the CAC
gpgsm --verbose --disable-crl-checks --armour --sign path
Perform a test signature
gpgsm --verbose --disable-crl-checks --armour --verify path
Perform a test verification