DoD Common Access Card and other smartcards on Unix
- Install the DoD root certificates:
- Download the DoD root certificates. Visit the DoD PKI/PKE Document Library, and download the target of the link “PKI CA Certificate Bundles: PKCS#7 For DoD PKI Only - Version 5.6”.
- Unzip the downloaded package, and enter the unzipped directory.
- Copy the certificates to the system directory: cp DoD_PKE_CA_chain.pem /etc/pki/ca-trust/source/anchors/.
- Update the CA trust store: update-ca-trust.
- Install the necessary packages: yum install opensc pcsc-lite-ccid pcsc-lite pcsc-tools
- Start the PC/SC daemon: systemctl start pcscd
- Configure the system to start the PC/SC daemon each time it boots: systemctl enable pcscd.service
DoD Common Access Card
This document describes how to integrate the US Department of Defense Common Access Card with UNIX. Here we assume that you have a CAC which already contains the appropriate certificates and private keys.
- Insert your CAC into the smart-card reader
- Introduce the PC/SC interface to Firefox:
- Select Preferences→Privacy & Security
- Select Security Devices
- Select Load
- Name the module something like CAC Support and select /usr/lib64/pkcs11/opensc-pkcs11.so
- Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and run the following command to add the certificate to your local certificate database: certutil -A -n DODCA_29 -t pCcT,pCcT,pCcT -i DODCA_29.cer -d /etc/pki/nssdb
- Review /etc/pam.d/smartcard-auth
- Edit /etc/pam_pkcs11/pam_pkcs11.conf and set user_mappers to subject
- Run pkcs11_inspect debug, and look for Printing data for …
- Edit /etc/pam_pkcs11/subject_mapping to contain something like CN=LAST.FIRST.MIDDLE.ID,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US -> username, replacing LAST.FIRST.MIDDLE.ID with the output from pkcs11_inspect and username with the corresponding UNIX username
First, complete the following steps:
- Install the necessary packages: yum install dirmngr gnupg2-smime gnupg-pkcs11-scd
- Add scdaemon-program /usr/bin/gnupg-pkcs11-scd to ~/.gnupg/gpg-agent.conf
- Add the following to ~/.gnupg/gnupg-pkcs11-scd.conf:
providers p1 provider-p1-library /usr/lib64/pkcs11/libcoolkeypk11.so emulate-openpgpg openpgp-sign hash openpgp-encr hash openpgp-auth hashReplace hash with the output from echo "SCD LEARN" | gpg-agent --server gpg-connect-agent (You will probably want the hashes from the second record)
- Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and your own certificate from https://dod411.gds.disa.mil/
A PIVKey C910 arrives without certificates or private keys. Unfortunately, the management of these materials requires Windows. The necessary utilities exist in the archive available at http://pivkey.com/pkadmin.zip. You can use the vSEC:CMS tool contained therein to perform the following tasks:
- Set the PIN of the smartcard (the default is 000000)
- Set the administrative key of the smartcard (the default is 000000000000000000000000)
- Load a PKCS#12 certificate/key onto the smartcard
The PIVKey C910 supports a number of key slots which are defined by various standards:
|9A||Authentication (e.g., system logins)|
|9D||Key management (encryption)|
|9E||Card authentication; does not require PIN (e.g., door locks)|
You can use the following invocations of PivKeyTool.exe to associate certificates/keys with these slots:
- PivKeyTool.exe --listmd
- List the certificates/keys present on the smartcard.
- PivKeyTool.exe --listpiv
- List the mappings between certificate IDs and key slots.
- PivKeyTool.exe --userpin PIN --mappiv9n certid, where n is a, c, d, or e
- Establish a mapping between a certificate ID and key slot.
Smart-card-related GnuPG commands
Once you have installed and configured GnuPG, you might find the following commands helpful:
- gpg2 --card-status
- Test the interoperability between GnuPG and the CAC
- gpgsm --import DODCA_29.cer DODEMAILCA_29.cer
- Import the DoD certificates downloaded from https://crl.chamb.disa.mil/
- gpgsm --import name.cer
- Import the personal certificate downloaded from https://dod411.gds.disa.mil/
- gpgsm --learn-card
- Learn about the CAC
- gpgsm --list-secret-keys
- Describe the secret keys available on the CAC
- gpgsm --verbose --disable-crl-checks --armour --sign path
- Perform a test signature
- gpgsm --verbose --disable-crl-checks --armour --verify path
- Perform a test verification