I love using Mac, as a so called IT professional it’s the most professional improvement to come UNIX in over a decade. I especially like to use it for work, The problem isall of the systems they use at my company rely on CAC authentication. More specificaly it’s all been geared towards Windows & CAC. Don’t get me wrong Common Access Cards are a great way to handle security. They work off of industry standard concepts like X.509 Certificates and Public Key Encryption. I don’t have a problem with that. It’s the horseshit support I find for documentation on how to use cac with my Mac.
This is a list of links and tips I discovered to make it easier to do. By default it shouldn’t be that card in OS X 10.5.6 or higher to get your CAC to work. In factApple already has support for CAC readers built into the OS. I have found though that often times you need to flash your CAC reader with the most current firmware version to make it work right. The worst part about this is that you have to use a windows XP computer to do this. I found the firmware for my cCAC reader and the flash tool at this site http://www.txsystems.com/cac.html Once I installed it on a Windows XP machine and flashed it to the most current version I got my cac to start seeing it.
To test if your mac can see you CAC reader plug it into your computer and place you CAC in the reader. Then open terminal and type ‘sudo pcsctool’. After you input your admin password if will tell you sucess or failure. THis is the immeditae indicator of weather or not your computer can use your CAC reader.
Once you know your computer will see it you can start configuring certain programs to use it/. So far I’ve gotten Safari and Firefox working with the CAC reader. The best instructions you can find for getting Safari to use your CAC is from http://militarycac.com/apple.htm I’ve included it here for archive puproses.
Step 1: Update your system. (10.5.6 is the minimum required for Leopard, though 10.5.8 is currently available and recommended)
Step 2: Plug in your CAC Reader to the USB Port
Step 3: Click the Apple Icon in the upper left corner of your desktop and select “About This Mac”
Step 4: Click the “More Info” Button within the window that pops up. (This open System Profiler)
Step 5: Within the “Hardware” Category select the “USB” Section. On the right hand side of the screen the window will display all hardware plugged into the USB ports on your Mac. Within this should be a Smart Card Reader. If the Smart Card reader is present here it is installed on your system, and no further hardware changes are required, i.e. additional drivers / Firmware upgrades. Unplug the CAC Reader from your system.
Step 6: Open Keychains Access from the Utilities Folder within the Applications folder; Open the “Edit” Menu, and select “Keychain List”, click the “+” button in the lower left of the window opened, navigate to the location: System / Library / Keychains (Select the local hard drive i.e “Macintosh HD” on the left, followed by the System folder, within that the Library folder, and within that the Keychains folder), and select X509Anchors. Check the Box to the left of the name under “Shared” as well as the System Box. Click “Ok”.
Step 7: Plug in your CAC Reader and insert your CAC into the CAC Reader. If in the upper left of the Keychain Access window, under “Keychains” your CAC should show up (CAC XXXX-XXXX-XXXX-XXXX-XXXX), select it. In the right hand side you will see the certificates that are on your CAC. (If your CAC does not appear remove it from the reader, unplug the CAC Reader, close and re-open keychains, plug in the Card Reader, and insert your CAC)
Step 8: Click the “Padlock” icon in the upper left corner of the program window, which will prompt you for your CAC PIN. Enter your PIN to unlock your CAC.
Step 9: Select the desired certificate, which will show DOD CA-XX or DOD EMAIL CA-XX in the upper window. Right Click (Control Click) and select “New Identity Preference”
Step 10: Enter the URL for the appropriate website you wish to access, select the appropriate certificate and click “Add”:
Step 11: Close Keychains, remove your CAC, and re-insert it. Open Safari and begin navigating to your CAC enabled site. (Air Force Users: remove your CAC card and re-insert it prior to opening Safari.)
If you want to use your CAC with firefox it’s a little more complicated. This is because the plugin that used to be hosted on the mozilla addons page is nolonger active. Now the project is hosted under the Department of Defensess forge.mil site. This site requires a department of defense CAC to get in and download it. It also has great documentation on how to setup firefox. It’s all focused on the DOD Certs though.
If you are looking to get your mac to play nicely in a AD envronment then you should look at centrify‘s solution. I have to be honest, I haven’t tried it but I have read a lot about it and it appears to be the perfect way to authenitcate to an active directory domain via CAC.