[SmartcardServices-Users] New CAC-NG Installer v.96

Shawn A. Geddis geddis at apple.com
Thu Feb 4 09:52:27 PST 2010

On Feb 4, 2010, at 6:33 AM, Evans, Paul CIV NAVAIR Bldg 1463 wrote:
> Shawn,
> Good new is that the installer places the tokend in the correct location.  Bad news is that I still can't use any of the certs at any CAC enabled websites.  I set up identity preferences as I have in the past, but I end up in an endless loop where Safari tells me that the web server will not accept my certificate, choose another.
> pe 


The CAC-NG Tokend is not what is causing you heartburn for accessing PK-enabled websites....

Due to the unfortunate/varying configurations of DoD Web Servers, it requires the Identity Preference (IDPref).  Good news is that as of 10.6.0, you can create ONE Wildcard IDPref for your purposes and be done (for most if not all of your use cases).

Within the IDPref Panel:


This will resolve ANY server request....  say:


You can also look at the MAN page for 'security' for clarity as well. 

$ man security

Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wild-card character '*' as the leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity preference for the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise, a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil".

keep in mind that where a Wildcard may not be appropriate to resolve all of your sites, Mac OS X would of course continue to support multiple URL specific IDPrefs...

Try this and let us know how it goes for you...

Shawn Geddis				  			   geddis at mac.com
Security Consulting Engineer				   geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100204/aac26680/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100204/aac26680/attachment.bin>

More information about the SmartcardServices-Users mailing list