DoD Common Access Card and other smartcards on Unix
Fedora
Prerequisites
- Install the DoD root certificates:
- Download the DoD root certificates. Visit the DoD PKI/PKE Document Library, and download the target of the link “PKI CA Certificate Bundles: PKCS#7 For DoD PKI Only - Version 5.6”.
- Unzip the downloaded package, and enter the unzipped directory.
- Copy the certificates to the system directory:
cp DoD_PKE_CA_chain.pem /etc/pki/ca-trust/source/anchors/. - Update the CA trust store:
update-ca-trust.
- Install the necessary packages:
yum install opensc pcsc-lite-ccid pcsc-lite pcsc-tools - Start the PC/SC daemon:
systemctl start pcscd - Configure the system to start the PC/SC daemon each time it boots:
systemctl enable pcscd.service
DoD Common Access Card
This document describes how to integrate the US Department of Defense Common Access Card with UNIX. Here we assume that you have a CAC which already contains the appropriate certificates and private keys.
Firefox
- Insert your CAC into the smart-card reader
- Introduce the PC/SC interface to Firefox:
- Select
Preferences→Privacy & Security - Select
Security Devices - Select
Load - Name the module something like
CAC Supportand select/usr/lib64/pkcs11/opensc-pkcs11.so
PAM
- Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and run the following command to add the certificate to your local certificate database:
certutil -A -n DODCA_29 -t pCcT,pCcT,pCcT -i DODCA_29.cer -d /etc/pki/nssdb - Review
/etc/pam.d/smartcard-auth - Edit
/etc/pam_pkcs11/pam_pkcs11.confand setuser_mapperstosubject - Run
pkcs11_inspect debug, and look forPrinting data for ... - Edit
/etc/pam_pkcs11/subject_mappingto contain something likeCN=LAST.FIRST.MIDDLE.ID,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US -> username, replacing LAST.FIRST.MIDDLE.ID with the output frompkcs11_inspectand username with the corresponding UNIX username
GnuPG
First, complete the following steps:
- Install the necessary packages:
yum install dirmngr gnupg2-smime gnupg-pkcs11-scd - Add
scdaemon-program /usr/bin/gnupg-pkcs11-scdto~/.gnupg/gpg-agent.conf - Add the following to
~/.gnupg/gnupg-pkcs11-scd.conf:
providers p1
provider-p1-library /usr/lib64/pkcs11/libcoolkeypk11.so
emulate-openpgpg
openpgp-sign hash
openpgp-encr hash
openpgp-auth hash
Replace hash with the output from echo "SCD LEARN" | gpg-agent --server gpg-connect-agent (You will probably want the hashes from the second record)
- Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and your own certificate from https://dod411.gds.disa.mil/
PIVKey C910
A PIVKey C910 arrives without certificates or private keys. Unfortunately, the management of these materials requires Windows. The necessary utilities exist in the archive available at http://pivkey.com/pkadmin.zip. You can use the vSEC:CMS tool contained therein to perform the following tasks:
- Set the PIN of the smartcard (the default is 000000)
- Set the administrative key of the smartcard (the default is 000000000000000000000000)
- Load a PKCS#12 certificate/key onto the smartcard
The PIVKey C910 supports a number of key slots which are defined by various standards:
| Slot identifier | Description |
|---|---|
| 9A | Authentication (e.g., system logins) |
| 9C | Digital signatures |
| 9D | Key management (encryption) |
| 9E | Card authentication; does not require PIN (e.g., door locks) |
You can use the following invocations of PivKeyTool.exe to associate certificates/keys with these slots:
- PivKeyTool.exe --listmd
- List the certificates/keys present on the smartcard.
- PivKeyTool.exe --listpiv
- List the mappings between certificate IDs and key slots.
- PivKeyTool.exe --userpin PIN --mappiv9n certid, where n is a, c, d, or e
- Establish a mapping between a certificate ID and key slot.
Smart-card-related GnuPG commands
Once you have installed and configured GnuPG, you might find the following commands helpful:
- gpg2 --card-status
- Test the interoperability between GnuPG and the CAC
- gpgsm --import DODCA_29.cer DODEMAILCA_29.cer
- Import the DoD certificates downloaded from https://crl.chamb.disa.mil/
- gpgsm --import name.cer
- Import the personal certificate downloaded from https://dod411.gds.disa.mil/
- gpgsm --learn-card
- Learn about the CAC
- gpgsm --list-secret-keys
- Describe the secret keys available on the CAC
- gpgsm --verbose --disable-crl-checks --armour --sign path
- Perform a test signature
- gpgsm --verbose --disable-crl-checks --armour --verify path
- Perform a test verification
