[SmartcardServices-Users] JITC CAC card gets " An untrusted certificate authority was detected while processing the smart card certificate used for authentication" login error...
Shawn A. Geddis
geddis at mac.com
Thu Apr 8 01:41:33 PDT 2010
Paul,
Note that the Root Cert "DoD JITC Root CA 2" is not part of the "System Root" (immutable Root Store) and hence would require that you enable trust for that Root CA - Mac OS X requires administrative trust set for Anchors not pre-shipped by Apple. To be more accurate, you can set the Trust Anchor to be any Cert within the Trust Path, since Mac OS X support a multi-tiered Trust Model.
You can accomplish this via the CLI security command or of course via the GUI of Keychain Access.
security add-trusted-cert [<options>] [certFile]
Usage: add-trusted-cert [<options>] [certFile]
-d Add to admin cert store; default is user
-r resultType resultType = trustRoot|trustAsRoot|deny|unspecified;
default is trustRoot
-p policy Specify policy constraint (ssl, smime, codeSign, IPSec, iChat,
basic, swUpdate, pkgSign, pkinitClient, pkinitServer, eap)
-a appPath Specify application constraint
-s policyString Specify policy-specific string
-e allowedError Specify allowed error (certExpired, hostnameMismatch) or integer
-u keyUsage Specify key usage, an integer
-k keychain Specify keychain to which cert is added
-i settingsFileIn Input trust settings file; default is user domain
-o settingsFileOut Output trust settings file; default is user domain
-D Add default setting instead of per-cert setting
certFile Certificate(s)
When you click on and view the certificates in Keychain Access, the Status of the Certificate is displayed in the header area. If it is as I suspect, you will see "This certificate was signed by an untrusted issuer".
-Shawn
__________________________________________________
Shawn Geddis geddis at mac.com
Security Consulting Engineer geddis at apple.com
MacOSForge Project Lead: Smart Card Services
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo
__________________________________________________
On Apr 6, 2010, at 9:23 AM, Paul Kwan wrote:
> Hi All,
>
> I posted this message in the Fed-Talk forum accidentally. I should post it here. Here’s my message:
>
> I have a test JITC CAC card that worked on Mac and Windows workstations since May last year. Now I got the following error when trying to login again:
>
> 1) From the Windows login screen, it pops up this error message:
>
> The system could not log you on. An untrusted certificate authority was detected while processing the smart card certificate used for authentication
>
> 2) On the Mac, secure.log shows similar error message complaining on “An untrusted CA...”
>
> The JITC CAC card is valid until next year. And the DoD certs on AD are also valid:
>
> 2.1) “DOD OM CA-20”: Valid from 8/3/2007 to 8/1/2013
> 2.2) “DOD OM EMAIL CA-20”: Valid from 8/2/2007 to 4/1/2013
> 2.3) “DoD JITC Root CA 2”: Valid from 7/14/2005 to 7/2/2030
>
> 3) I can access and download the CRL files without any problem:
>
> 3.1) http://crl.nit.disa.mil/getcrl?DoD JITC Root CA 2
> 3.2) http://crl.nit.disa.mil/getcrl?DOD OM CA-20
> 3.3) http://crl.nit.disa.mil/getcrl?DOD OM EMAIL CA-20
>
> Does anybody out there see the similar problem? How can I fix this so that my test JITC CAC card works again? Thanks for the help in advance.
>
> PSK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100408/f1d00136/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100408/f1d00136/attachment-0001.bin>
More information about the SmartcardServices-Users
mailing list