UAF Logo ARSC Logo

Get a US Government CAC to work
with the x86_64 version of Firefox
on a 64 bit REHL 6.4 or CentOS 6.4 machine.

Introduction.

Most if not all US Government employees are now issued a CAC (Common Access Card). This includes active members of the Armed Services and civilian government employees. Many government contractors may also be issued a CAC.

The CAC serves as an identification card that humans can read and includes a picture, expiration date, and ID number. The CAC is also a Smart Card that can be read to access government signed certificates stored on the CAC. Reading the CAC requires entry of a Personal Identification Number (PIN). The combination of the CAC (something you have) and the PIN (something you know) for authentication is a form of Two factor Authentication which is a requirement to access many U.S. Government (USG) Information Systems (IS) and the preffered way for many more.

64 bit Linux machine

Getting a US Government CAC to work on a 64 bit REHL 6.4 machine or a 64 bit CentOS 6.4 machine running the x86_64 version of Firefox is a lot easier than getting a CAC to work on Linux was in the past. The US Government mostly uses MS Windows workstations and offers little or no official support for using a CAC on another platform.

This procedure has been used on Red Hat Enterprise Linux (RHEL) 6.4 machines and CentOS 6.4 machines and should also work on Scientific Linux (SL) 6.4 machines.

Install esc (Enterprise Security Client Smart Card Client) which will cause the ccid, coolkey, pcsc-lite, and pcsc-lite-libs dependancies to be installed.

yum -y install esc

Update xulrunner which updates firefox.

yum -y update xulrunner

Reboot

At this point the "Smart Card Manager" can see information on the CAC card.

Configure the "CAC Reader" Security Device in the x86_64 version of Firefox:

Select "Preferences" from the "Edit" menu. Click on the "Advanced" icon and then select the "Encryption" tab.

Click on the "Security Devices" button and then the "Load" button in the window that appears. Under "Module Name" put a name you will recognize such as "CAC Reader".

Click the browse button and navigate to /usr/lib64/pkcs11/libcoolkeypk11.so and select that, or, alternatively, enter "/usr/lib64/pkcs11/libcoolkeypk11.so" in the "Module Filename" field.

The "CAC Reader" module will now appear in the previous window, and, if you have a CAC Reader plugged into the computer with a CAC inserted, your personal information will appear as well.

Once you are at this point you can now visit DoD CAC enabled sites.

Add exceptions to trust DoD sites you will use your CAC to authenticate to.

You could install DoD root certificates but then you would have to keep updating them anyway.

Expired certificates that have been added by exception may have to delete before you can add a new certificate for the same site.

These appear in Firefox -> Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Servers

Contents