Your new CAC, Linux, Mac, and You

Earlier posts outlined howto utilize OpenSC to ensure your CAC worked in Linux or Mac. The problem is that there are new 144k CAC being passed out that do not work with the current coolkey or OpenSC toolsets. What is a happy Federal employee to do?! First you need to find a Windows computer that can access the In a strange turn of events you will be unable to download the software necessary for your true platform of choice to access the software. Its a chicken and egg problem…

I will start with Linux. There are RPM and DEB files, but where is the fun with that? In order to hit the most people possible, if you follow these instructions to build from source you will be just spiffy. Note that there is an initiative with the Red Hat Linux PKI Team to implement the fixes from CACkey into Coolkey, but it has only flowed to some initial Fedora packages thus far. These instructions will not age well once that coolkeys package hits the main debian, ubuntu, rhel, etc.

  1. Download the latest Firefox extension for installing the root certificates for both the Federal and DoD CA from here: DoD Firefox Extension
  2. Next we need to install the *.xpi file into Firefox. I will assume you are more than capable of doing this. When you are done, restart the browser and allow it to fetch the certificates
  3. Download the source-code for cackey from here: CACKey Source
  4. Install the libpcsclite-dev package for your distro. The one mentioned here is for Debian Unstable
  5. Extract: tar xfvz cackey-0.5.20.tar.gz
  6. Configure: cd cackey* && ./configure
  7. Make: make
  8. Install: sudo make install
  9. Next open Firefox/Iceweasel back-up and ensure that your security devices is free of OpenSC and Coolkey. I have had little success in having both loaded with the CACkey implementation. You will load the Security Device from /usr/local/lib/
  10. Shutdown the browser and restart
  11. Surf to a friendly CAC enabled website you frequent and when prompted for your pin use the same you would at work. If you have the newer 144k CAC you will be given a choice between two certificates, choose the one with your email address listed.
  12. You are in!

For Mac your life is much simpler. There are pre-made packages for Tiger, Leopard, and Snow Leopard. Download the one applicable to your platform and follow the same instructions above from Step 9 down. The only difference being that your location for the Loading of the security device is: /usr/lib/pkcs11/cackey.dylib