Search MilitaryCAC: Site Map

.com | .us | .info | .mobi | .net | .org The Definitive Source for Everything CAC Common Access Card help for your Personal Linux Computer

Also available at: https://MilitaryCAC.com Please this website with your friends and colleagues

LINUX SUPPORT PAGE

Linux support provided by: Noah Kalish & Nathan Wolf

The following is a guide to assist in setting up your Linux computer to access CAC-enabled DoD websites from the general to the specific.

Install the middleware

The Linux CAC Reader stack is based on a set of middleware called PCSC (Personal Computer Smart Card), written by the MUSCLE (Movement for the Use of Smart Cards in a Linux Environment) project.

Software packages

pcsc-lite - PCSC Smart Cards Library

pcsc-ccid - generic USB CCID (Chip/Smart Card Interface Devices) driver

            Note: Depending on your card reader you may need to install other drivers

perl-pcsc - Abstraction layer to smart card readers

pcsc-tools - Optional but highly recommended, these tools are used to test a PCSC driver, card and reader

The naming of this package / library name varies from one distribution to another depending on the package maintainer.  For example if you want to find the pcsc-lite package, enter into the search engine of your choice:

  pcsc lite yourdisribution

Replace yourdisribution with openSUSE, Fedora or Ubuntu; whatever you are running

PKCS #11 module

The original module to read PKCS #11 keys was 'coolkeys' which has been replaced by the currently required module 'CACkey', available from DISA's Linux development site:

http://www.forge.mil/Community.html?uri=/sf/go/projects.community_cac/frs.cackey

NOTE:  A computer with working CAC authentication is required for the download. 

Forge.mil hosts both CACkey and the DoD Configuration extension, but it also needs CAC authentication to download the packages.  Easiest may be to download all on a CAC enabled computer and then transfer to the Linux machine via thumb drive. From forge.mil download:

           ·        The latest version of CACkey

           ·        The latest version of the DoD Configuration extension for Firefox

Recommend these be stored on AKO Cloud, Dropbox, Google Drive, portable media, or other location to ensure continued access.

Configuring Firefox

Firefox requires a plug-in and some tweaking.

The plug-in is the aforementioned DoD Configuration extension for Firefox obtained from DISA

Once installed it may need configuring:

       ·         Select from the menu, Tools > Add-ons

       ·         Once the Add-ons page is loaded, Select Extensions > DOD Configuration [version] and click Preferences.

       ·         Click the certificate buttons to update the certificate cache with the necessary DOD certificates, then click Redetect Smart Card Reader.

       ·         If it fails to find the reader all is not lost--go to https://www.us.army.mil  or some other CAC-required site and give it a try--it often works.

If the CAC Module is not working:

       ·         Select from the menu, Edit > Preferences > Advanced > Encryption > Security Devices

       ·         Check the left column.  It should show an entry similar to "CAC Module" along with certificate(s) as a sub-item.  If it doesn't work then the entries are wrong.

       ·         Select the entry and select Unload to remove the security device

                  ◦             To install / reinstall the CAC driver in Firefox using the above listed Security Devices

       ·         Select Load on the dialog box

       ·         Module name should be something like: DoD CAC

       ·         Module filename: either type in or browse to the location of the libcackey.so drivers

       ·         The files will be located under either: 

            /usr/lib/

            or

            /usr/lib64/

DTS

OpenJDK is not compatible with DBSign.  You will have to install Java from Oracle.  This varies from distribution to distribution.

See below for distribution specific information.

DoD Certificates

Available for Linux by visiting the DoD Class 3 PKI page on DISA.mil

External Links

Some older links, that "may" help you:

There's a Firefox plug-in that allows you to digitally sign Gmail messages with a digital certificate from your CAC in the web interface:

 Linux Debian "Etch" using GemPlus

Another Soldier used Ubuntu 8.04 (Hardy Heron) with Mozilla's Thunderbird for email.  He used Coolkey to get the CAC reader working with Firefox, then loaded Coolkeys pkcs module into Thunderbird.

Another Ubuntu forums website where you can read about configuration / utilization of your CAC. 

Using Linux with your CAC links on Google