This is a quick guide to getting Apache CAC (or other x509) client certificate enabled -and is directed at Mac, although most of this is probably most flavors of Linux.Much of this is all attributed to the following references, and for the most part acts as a fill-in the gapsfor me.

1. Military Cac For Mac No Client Certificate Presented As A
2. Military Cac No Client Certificate Presented
3. Military Cac For Mac No Client Certificate Presented Completion

First get SSL running. A self-signed cert will suffice.

Set up SSL https://gist.github.com/jonathantneal/774e4b0b3d4d739cbc53

Military Cac For Mac No Client Certificate Presented As A

• out of the box, appears to only not complain in Safari [good enough for the moment]

• Grab the bundled certificates
• From the README, openssl pkcs7 -in Certificates_PKCS7_v5.0u1_DoD.pem.p7b -print_certs -out DoD_CAs.pem

The generated DoD_CAs.pem will be your CA file referenced from Apache.

Military Cac No Client Certificate Presented

• There are a bunch of other interesting tools:http://iase.disa.mil/pki-pke/Pages/tools.aspx

Select the DOD Class 3 CAC CA certificate if prompted and click OK. Ensure your CAC is inserted in the reader and double click on the message to be read. With the CAC installed, this function is transparent to the user. Department of Defense Public Key Infrastructure (PKI) Air Force Common Access Card (CAC) and PKI Usage Quick. In order for your machine to recognize your CAC certificates and DoD websites as trusted, run the InstallRoot utility (32-bit, 64-bit or Non Administrator) to install the DoD CA certificates on Microsoft operating systems. If you’re running an alternate operating system such as Mac OS or Linux, you can import certificates from the PKCS 7 bundle.

In a perfect world, you will need to set-up and maintain an revocation list (not yet done). The above referenced CAC HowToshave more details regarding that. The DoD maintained revocation list, however, is https://crl.gds.disa.mil/

This will open up a non-secured port 80 host. Its probably best to direct this somewhere thatyou are not trying to have authenticated login, as it stands, it is wide open.

DoD CAC Smart Cards in a Linux based operating system can be used with the use of a freely available library called “coolkey”. On an Ubuntu operating system the packages added were: libusb-0.1-4, libpcsclite1, libpcsclite-dev, pcscd, and pcsc-tools (the actual command was “sudo apt-get install libusb-0.1-4 libpcsclite1 libpcsclite-dev. Here is a Common problems and solutions page for specific error codes.

Military Cac For Mac No Client Certificate Presented Completion

This SSL section is where all the magic happens for the CAC Auth