Adobe and PKCS11 Module
Has anyone gotten digital signing via cac card to work in Adobe Professional 8 using 10.6? I have tried to load both /usr/local/lib/pkcs11/libcoolkeypk11.dylib and /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so as a module in Adobe following the instructions from http://lists.apple.com/archives/fed-talk/2008/Jan/msg00071.html It's unable to load either module. Any help would be appreciated. Thanks Ben
I've never tried using Acrobat Professional or 10.6, but with Adobe Reader and 10.5, I never got smart card support working on OS X before Reader 9.0. Starting with Reader 9.1, you don't need to add a PKCS#11 module as they use the system Keychain. If you're trying to use a DoD CAC/PIV card, you'll also need to load the DoD PKI certificates, as outlined in the post you linked. - David -----Original Message----- From: Ben Dugas Sent: Wednesday, March 24, 2010 3:13 PM To: smartcardservices-users@lists.macosforge.org Subject: [SmartcardServices-Users] Adobe and PKCS11 Module Has anyone gotten digital signing via cac card to work in Adobe Professional 8 using 10.6? I have tried to load both /usr/local/lib/pkcs11/libcoolkeypk11.dylib and /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so as a module in Adobe following the instructions from http://lists.apple.com/archives/fed-talk/2008/Jan/msg00071.html It's unable to load either module. Any help would be appreciated. Thanks Ben
On Mar 25, 2010, at 11:10 AM, Mueller, David S CIV SPAWARSYSCEN-PACIFIC, 55620 wrote:
I've never tried using Acrobat Professional or 10.6, but with Adobe Reader and 10.5, I never got smart card support working on OS X before Reader 9.0. Starting with Reader 9.1, you don't need to add a PKCS#11 module as they use the system Keychain.
If you're trying to use a DoD CAC/PIV card, you'll also need to load the DoD PKI certificates, as outlined in the post you linked.
- David
David, It is true that earlier versions of Acrobat required PKCS#11 and current versions utilize Apple's built-in Security Services (inculding keychains), but they do not use the "System" keychain as noted. They access your supported Smart Card as a Keychain via the APIs, but the System Keychain is a separate keychain altogether.
If you're trying to use a DoD CAC/PIV card, you'll also need to load the DoD PKI certificates, as outlined in the post you linked.
There is no need to ever "load the DoD PKI certificates" to use the CAC-NG, unless you are referring to the newest Intermediate CAs that were just published and not yet included in a Software Update for Mac OS X. DOD CA-25, DOD CA-26, DOD EMAIL CA-25, DOD EMAIL CA-26 Adding the "SystemCACertificates.keychain" to the Keychain list (which already ships with Mac OS X) gives you all of the other Intermediate CA Certs used within DoD. /System/Library/Keychains/SystemCACertificates.keychain -Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
On 3/26/10 7:59 AM, "Shawn A. Geddis" <geddis@apple.com> wrote:
It is true that earlier versions of Acrobat required PKCS#11 and current versions utilize Apple's built-in Security Services (inculding keychains), but they do not use the "System" keychain as noted. They access your supported Smart Card as a Keychain via the APIs, but the System Keychain is a separate keychain altogether.
I guess I wasn't clear. I didn't mean the System Keychain specifically, but rather the operating system provided Keychain services generically, as it it uses the Keychain stuff rather than needing to be linked to a PKCS#11 module like Coolkey.
There is no need to ever "load the DoD PKI certificates" to use the CAC-NG, unless you are referring to the newest Intermediate CAs that were just published and not yet included in a Software Update for Mac OS X. DOD CA-25, DOD CA-26, DOD EMAIL CA-25, DOD EMAIL CA-26
Actually, I was referring to importing the certs into Adobe Reader's certificate list, not into the OS X Keychain. Maybe it doesn't need it anymore? I haven't had to set this up in a while. - David
On Mar 24, 2010, at 6:13 PM, Ben Dugas wrote:
Has anyone gotten digital signing via cac card to work in Adobe Professional 8 using 10.6? I have tried to load both /usr/local/lib/pkcs11/libcoolkeypk11.dylib and /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so as a module in Adobe following the instructions from http://lists.apple.com/archives/fed-talk/2008/Jan/msg00071.html It's unable to load either module. Any help would be appreciated.
Thanks Ben
Ben, Adobe Acrobat will work when you have the right pieces in place. Acrobat Pro 8 required PKCS#11 If you use CoolKey (full PKCS#11 support) then you would need to compile for 64-bit Universal If you use tokendPKCS11.so (ONLY a PKCS#11 Shim) then you must utilize a Smart Card already supported by a Tokend you have installed When you have issues such as this, it is essential to capture the logs for any assistance. /var/log/system.log /var/log/secure.log __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
participants (4)
-
Ben Dugas
-
David Mueller
-
Mueller, David S CIV SPAWARSYSCEN-PACIFIC, 55620
-
Shawn A. Geddis