Home
Download

Open Source

Projects
Patches

System Integration

Notes
SRPMs

Fedora

Prerequisites

  1. Install the DoD root certificates:
    1. Download the DoD root certificates. Visit https://iase.disa.mil/pki-pke/Pages/tools.aspx, select the “Trust Store” tab, and download the target of the link “For DoD PKI Only - Version 5.4” under “PKI CA Certificate Bundles: PKCS#7.”
    2. Unzip the downloaded package, and enter the unzipped directory.
    3. Convert the certificates to the x509 format:
      openssl pkcs7 -in Certificates_PKCS7_v5.4_DoD.pem.p7b -print_certs \
                    -out DoD_CAs.pem
    4. Copy the certificates to the system directory: cp DoD_CAs.pem /etc/pki/ca-trust/source/anchors/.
    5. Update the CA trust store: update-ca-trust.
  2. Install the necessary packages: yum install opensc pcsc-lite-ccid pcsc-lite pcsc-tools
  3. Start the PC/SC daemon: systemctl start pcscd
  4. Configure the system to start the PC/SC daemon each time it boots: systemctl enable pcscd.service

DoD Common Access Card

This document describes how to integrate the US Department of Defense Common Access Card with UNIX. Here we assume that you have a CAC which already contains the appropriate certificates and private keys.

Firefox

  1. Insert your CAC into the smart-card reader
  2. Introduce the PC/SC interface to Firefox:
    1. Select Preferences→Privacy & Security
    2. Select Security Devices
    3. Select Load
    4. Name the module something like CAC Support and select /usr/lib64/pkcs11/opensc-pkcs11.so

PAM

  1. Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and run the following command to add the certificate to your local certificate database: certutil -A -n DODCA_29 -t pCcT,pCcT,pCcT -i DODCA_29.cer -d /etc/pki/nssdb
  2. Review /etc/pam.d/smartcard-auth
  3. Edit /etc/pam_pkcs11/pam_pkcs11.conf and set user_mappers to subject
  4. Run pkcs11_inspect debug, and look for Printing data for …
  5. Edit /etc/pam_pkcs11/subject_mapping to contain something like CN=LAST.FIRST.MIDDLE.ID,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US -> username, replacing LAST.FIRST.MIDDLE.ID with the output from pkcs11_inspect and username with the corresponding UNIX username

GnuPG

First, complete the following steps:

  1. Install the necessary packages: yum install dirmngr gnupg2-smime gnupg-pkcs11-scd
  2. Add scdaemon-program /usr/bin/gnupg-pkcs11-scd to ~/.gnupg/gpg-agent.conf
  3. Add the following to ~/.gnupg/gnupg-pkcs11-scd.conf:
    providers p1
    provider-p1-library /usr/lib64/pkcs11/libcoolkeypk11.so
    emulate-openpgpg
    openpgp-sign hash
    openpgp-encr hash
    openpgp-auth hash
    
    Replace hash with the output from echo "SCD LEARN" | gpg-agent --server gpg-connect-agent (You will probably want the hashes from the second record)
  4. Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and your own certificate from https://dod411.gds.disa.mil/

PIVKey C910

A PIVKey C910 arrives without certificates or private keys. Unfortunately, the management of these materials requires Windows. The necessary utilities exist in the archive available at http://pivkey.com/pkadmin.zip. You can use the vSEC:CMS tool contained therein to perform the following tasks:

The PIVKey C910 supports a number of key slots which are defined by various standards:

Slot identifierDescription
9AAuthentication (e.g., system logins)
9CDigital signatures
9DKey management (encryption)
9ECard authentication; does not require PIN (e.g., door locks)

You can use the following invocations of PivKeyTool.exe to associate certificates/keys with these slots:

PivKeyTool.exe --listmd
List the certificates/keys present on the smartcard.
PivKeyTool.exe --listpiv
List the mappings between certificate IDs and key slots.
PivKeyTool.exe --userpin PIN --mappiv9n certid, where n is a, c, d, or e
Establish a mapping between a certificate ID and key slot.

Smart-card-related GnuPG commands

Once you have installed and configured GnuPG, you might find the following commands helpful:

gpg2 --card-status
Test the interoperability between GnuPG and the CAC
gpgsm --import DODCA_29.cer DODEMAILCA_29.cer
Import the DoD certificates downloaded from https://crl.chamb.disa.mil/
gpgsm --import name.cer
Import the personal certificate downloaded from https://dod411.gds.disa.mil/
gpgsm --learn-card
Learn about the CAC
gpgsm --list-secret-keys
Describe the secret keys available on the CAC
gpgsm --verbose --disable-crl-checks --armour --sign path
Perform a test signature
gpgsm --verbose --disable-crl-checks --armour --verify path
Perform a test verification
Email: www@flyn.org — ✉ 6110 Campfire Court; Columbia, Maryland 21045; USA