NOTE: These instructions are provided as general guidance for home use only. The AF PKI SPO cannot support help desk calls concerning use of CACs on home computers. If these instructions do not work on your system, visit the ActivClient page for Army users, or the following link for all other military branches to find links to obtain a copy of  ActivClient. The Windows 7 version of home use middleware is called ActivClient 6.2.

(Has to be completed using a Windows computer)

This "should" fix the following problems:

1. Card reader is not recognized

2. Shows up as "STCII Smart Card Reader"

3. Does not read your new "Gemalto TOP DL GX4 144K" or "Oberthur ID One 128 v5.5 Dual" CAC.

4. Does not read your CAC when using your MAC

5. Using what this page is all about

    i. Install a card reader on your Windows 7 machine. Verify the card reader is properly installed by checking that a reader is listed in the Device Manager under "Smart card readers". (The Device Manager can be accessed by opening the Start menu, right-clicking Computer {which may be listed as a computer name}, and selecting "Manage".)  

Insert the CAC in the reader. Verify the card reader is successfully recognizing the CAC by checking that an "Identity Device" is listed in the Device Manager under "Smart cards" as shown below. If it is, your CAC may be PIV-II compliant.

If your CAC is not PIV-II-compliant, the smart card will show up under "Other devices" as shown below:

     ii. Open the Internet Explorer (IE) Certificate Store. If you think your CAC is PIV-II compliant, go into IE, select Tools\Internet Options\Content\Certificates. The Personal Tab should open by default. If your CAC is PIV-II-compliant, you should see 3 certificates issued to you by DoD as shown below:

Two of these certificates (the ones that have "EMAIL" in the "Issued By" field) are your standard DoD E-mail Signature and Encryption certificates. The third certificate is your PIV Identity certificate. This PIV Identity certificate is a different certificate than the DoD Identity certificate you normally see when using ActivClient middleware. This should not impact your use on your personal computer. If your CAC is not PIV-II-compliant, no certificates will be listed in the Personal Tab. You will have to install the ActivClient 6.2 in order to use your CAC with Windows 7.

2. Install the DoD PKI Trust Chains. Access the DOD Root CA Download web page (http://dodpki.c3pki.chamb.disa.mil/rootca.html) and follow the directions on the page to install all of the trust chains on your Windows 7 computer.

3. Add Outlook Web Access (OWA) address to IE8 Trusted Sites (for OWA users only). The OWA website must be listed as a trusted site in order for the user to sign or decrypt email. Open IE8 and select Tools\Internet Options\Security. Select the Trusted Sites zone, then click on "Sites". Type the address for your OWA website (for example: https://lackland.mail.us.af.mil/owa) in the box labeled "Add this website to the zone" and click Add. The site will be added to the list. Click Close and then OK to exit the Internet Options window.  DTS users will also need to add:  https://dtsproweb.defensetravel.osd.mil

4. Access web sites and authenticate with your CAC-based certificates in IE as usual. You will be prompted to select a certificate and enter your Personal Identification Number (PIN) as shown in the screenshots below. IMPORTANT: If you are accessing a web site that is linking back to your network account as Sharepoint or Outlook Web Access (OWA), you may need to select your E-mail Signature certificate (the one that has "EMAIL" in the Issued By field) in order to authenticate. The PIV Identity certificate (the one that does NOT have "EMAIL" in the "Issued By" field) will not work with your Active Directory account (any use that connects back to your work account, like Sharepoint or OWA) unless you have used LEAP with this particular CAC to populate your ID Certificate information. Your PIV Identity certificate can always be used to client authenticate to web sites that are not linking back to your network account.  Those accessing AKO will continue to use the non-Email certificate.

5. If you are having issues accessing a web site with your CAC, try the following:

       i.    Add the web site to the IE "Trusted Sites" list (in IE under Tools\Internet Options\Security).

      ii.    Open the IE Certificate Store by selecting Tools\Internet Options\Content\Certificates. For each of your  certificates in the Personal tab, highlight the certificate and click the "Advanced" button. From within the Advanced Options configuration window select the checkbox for "Client Authentication" then click OK. (These settings are normally NOT required to use the CAC certificates with Windows 7).

     iii.    In the IE Internet Options window select the Advanced tab. In the Settings box, scroll to the Security section and verify that the checkboxes for TLS 1.0 and SSL 3.0 are checked.