Home » Featured » CAC cards and Mac OSX

I love using Mac, as a so called IT professional it’s the most professional improvement to come UNIX in over a decade.  I especially like to use it for work,  The problem isall of the systems they use at my company rely on CAC authentication.  More specificaly it’s all been geared towards Windows & CAC.  Don’t get me wrong Common Access Cards are a great way to handle security.  They work off of industry standard concepts like X.509 Certificates and Public Key Encryption.  I don’t have a problem with that.  It’s the horseshit support I find for documentation on how to use cac with my Mac.

This is a list of links and tips I discovered to make it easier to do.  By default it shouldn’t be that card in OS X 10.5.6 or higher to get your CAC to work.  In factApple already has support for CAC readers built into the OS.  I have found though that often times you need to flash your CAC reader with the most current firmware version to make it work right.  The worst part about this is that you have to use a windows XP computer to do this.  I found the firmware for my cCAC reader and the flash tool at this site http://www.txsystems.com/cac.html  Once I installed it on a Windows XP machine and flashed it to the most current version I got my cac to start seeing it.

To test if your mac can see you CAC reader plug it into your computer and place you CAC in the reader. Then open terminal and type ‘sudo pcsctool’.  After you input your admin password if will tell you sucess or failure.  THis is the immeditae indicator of weather or not your computer can use your CAC reader.

Once you know your computer will see it you can start configuring certain programs to use it/.  So far I’ve gotten Safari and Firefox working with the CAC reader.  The best instructions you can find for getting Safari to use your CAC is from http://militarycac.com/apple.htm  I’ve included it here for archive puproses.

Step 1: Update your system.  (10.5.6 is the minimum required for Leopard, though 10.5.8 is currently available and recommended)

Step 2: Plug in your CAC Reader to the USB Port

Step 3: Click the Apple Icon in the upper left corner of your desktop and select “About This Mac”

Step 4: Click the “More Info” Button within the window that pops up. (This open System Profiler)

Step 5: Within the “Hardware” Category select the “USB” Section.  On the right hand side of the screen the window will display all hardware plugged into the USB ports on your Mac.  Within this should be a Smart Card Reader.  If the Smart Card reader is present here it is installed on your system, and no further hardware changes are required, i.e. additional drivers / Firmware upgrades.  Unplug the CAC Reader from your system.

Step 6: Open Keychains Access from the Utilities Folder within the Applications folder; Open the “Edit” Menu, and select “Keychain List”, click the “+” button in the lower left of the window opened, navigate to the location: System / Library / Keychains (Select the local hard drive i.e “Macintosh HD” on the left, followed by the System folder, within that the Library folder, and within that the Keychains folder), and select X509Anchors.  Check the Box to the left of the name under “Shared” as well as the System Box.  Click “Ok”.

Step 7: Plug in your CAC Reader and insert your CAC into the CAC Reader.  If in the upper left of the Keychain Access window, under “Keychains” your CAC should show up (CAC XXXX-XXXX-XXXX-XXXX-XXXX), select it. In the right hand side you will see the certificates that are on your CAC. (If your CAC does not appear remove it from the reader, unplug the CAC Reader, close and re-open keychains, plug in the Card Reader, and insert your CAC)

Step 8: Click the “Padlock” icon in the upper left corner of the program window, which will prompt you for your CAC PIN.  Enter your PIN to unlock your CAC.

Step 9: Select the desired certificate, which will show DOD CA-XX or DOD EMAIL CA-XX in the upper window.  Right Click (Control Click) and select “New Identity Preference”

Step 10: Enter the URL for the appropriate website you wish to access, select the appropriate certificate and click “Add”:

Step 11: Close Keychains, remove your CAC, and re-insert it.  Open Safari and begin navigating to your CAC enabled site.  (Air Force Users: remove your CAC card and re-insert it prior to opening Safari.)

If you want to use your CAC with firefox it’s a little more complicated.  This is because the plugin that used to be hosted on the mozilla addons page is nolonger active.  Now the project is hosted under the Department of Defensess forge.mil site.  This site requires a department of defense CAC to get in and download it.  It also has great documentation on how to setup firefox.  It’s all focused on the DOD Certs though.

If you are looking to get your mac to play nicely in a AD envronment then you should look at centrify‘s solution.  I have to be honest, I haven’t tried it but I have read a lot about it and it appears to be the perfect way to authenitcate to an active directory domain via CAC.

3 thoughts on “CAC cards and Mac OSX

  1. Lt Col David "Shirpa" Jones, VTANG, MC, FS says:

    Thanks for this. I have been trying all sorts of solutions/suggestions to allow me to access .mil pages from home on a Mac. I had always resorted to Boot Camp and shifting into Windows, which was never an elegant solution. But this has worked perfectly. I will pass the info around our base for others with the same desire.

  2. I’m the same way with MAC. I love the operating system. You shouldn’t have to not be able to not use CAC readers just because of your operating system. Thanks for this info!

  3. PFC David "f0ru0l0rd" Turner says:

    This solution was PERFECT! I wish I could buy you several beers for this, sir. I was having problems, where my Mac would say that my credentials were not valid, without even checking them. Even after several options and work arounds, I never had my CAC in the keychain. This solution enabled my computer to FINALLY see my certificates. Thank you so very much for your help!
    -f0ru0l0rd

Leave a Reply

Your email address will not be published. Required fields are marked *

</Random> is Stephen Fry proof thanks to caching by WP Super Cache