Use a DoD smartcard to access CAC enabled websites

By now you’ve likely heard the benefits of two factor authentication. Enabling multi-factor authentication can increase the security of accounts you use to access various social media websites like Twitter, Facebook, or even your Google Account. This post is going to be about a bit more.

The U.S. Armed Services spans millions of military and civilian employees. If you’re a member of these services, you’ve probably been issued a DoD CAC smartcard to access various websites. With the smartcard comes compatibility issues, specific instructions tailored to each operating system, and a host of headaches. It’s difficult to find reliable instructions to access military websites from Linux operating systems. This article shows you how to set up your Fedora system to login to DoD CAC enabled websites.

Installing and configuring OpenSC

First, install the opensc package:

sudo dnf install -y opensc

This package provides the necessary middleware to interface with the DoD Smartcard. It also includes tools to test and debug the functionality of your smartcard.

With that installed, next set it up under the Security Devices section of Firefox. Open the menu in Firefox, and navigate to Preferences -> Advanced.

In the Certificates tab, select Security Devices. From this page select the Load button on the right side of the page. Now set a module name (“OpenSC” will work fine) and use this screen to browse to the location of the shared library you need to use.

Browse to the /lib64/pkcs11/ directory, select opensc-pkcs11.so, and click Open. If you’re currently a “dual status” employee, you may wish to select the onepin-opensc-pkcs11.so shared library. If you have no idea what “dual status” means, carry on and simply select the former package.

Click OK to finish the process.

Now you can navigate to your chosen DoD CAC enabled site and login. You’ll be prompted to enter the PIN for your CAC, then select a certificate to use. If you’re logging into a normal DoD website, select the Authentication certificate. If you’re logging into a webmail service such as https://web.mail.mil, select the Digital Signing certificate. NOTE: “Dual status” personnel should use the Authentication certificate.

Fedora Project community Using Software

7 Comments

  1. Brad Smith

    The same process works for the PIV card format used by US Federal civilian agencies. See also https://sagecreeksoft.blogspot.com/ for some additional hints on obtaining the intermediate certs that may or may not be installed by default on a Fedora system.

  2. Pavel Roskin

    Thank you for posting the detailed instructions for the brave men and women in the US military! This story speaks volumes of the Fedora’s readiness to serve people beyond the usual geek/IT/engineering crowd. It’s an example for other security conscious organizations. It’s also a reminder for Fedora’s developers that Fedora is serving people who put they lives on the line. Security issues should be treated accordingly.

    I hope to see more stories like this, showcasing the security technologies present in Fedora.

  3. Daniel K

    Khris,

    Do you think you would be able to contribute to this website?:

    https://militarycac.com/

    • Hi Daniel,

      I’ve visited that page many times seeking help for Windows systems, so I’d be happy to help.

      Are you in contact with one of the site admins?

  4. DarkLight

    Khris thank you for the post.

    Been using the CaC on Fedora and Firefox for some years but instead of the opensc module, been using the libcoolkey module. When accessing a site and using the opensc pkcs11 module you get a pin and certificate selection prompt multiple times. Using the libcoolkey only prompt once for certificate selection. Card reader is OMNIKEY AG CardMan 3121

    sudo dnf install -y coolkey

  5. Maimela

    is there any way to use my biometric scanner to login into fedora

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions