[SmartcardServices-Users] New CAC-NG Installer v.96

Evans, Paul CIV NAVAIR Bldg 1463 paul.evans1 at navy.mil
Thu Feb 4 11:35:03 PST 2010


If the identity preferences are the issues, shouldn't the old identity preferences that I had in the keychain still have been correct for the websites in question, other than, of course, there being an expired cert listed?  In other words, if I edited my identity preference for a particular website and chose the appropriate certificate from my new CAC, shouldn't that have worked?  I've edited/removed/recreated ID preferences for the CAC enabled websites, trying every cert available with no luck.  I always get the following message from Safari.  

"The website 'insert CAC-enabled website url here' did not accept the certificate 'insert your EDIPI here'".

It then gives me a list of other certs available to choose from, but no matter which one I choose I end up in the same endless loop.  I've captured the traffic exchange via Wireshark and it appears that things fail in the key exchange portion of TLS.

I'm certainly looking forward to upgrading to 10.6, but for the moment I'm still running 10.5.8.  And even if I did upgrade, from a previous post you said there's no guarantee that the out of the box tokend on 10.6 will work with the new cards.

Anyway, I appreciate your help with this.  If anything I'm saying doesn't make sense, please let me know.


-----Original Message-----
From: Shawn A. Geddis [mailto:geddis at apple.com] 
Sent: Thursday, February 04, 2010 12:52
To: Evans, Paul CIV NAVAIR Bldg 1463
Cc: SmartcardServices-Users SmartCardServices-Users
Subject: Re: [SmartcardServices-Users] New CAC-NG Installer v.96

On Feb 4, 2010, at 6:33 AM, Evans, Paul CIV NAVAIR Bldg 1463 wrote:

	Good new is that the installer places the tokend in the correct location.  Bad news is that I still can't use any of the certs at any CAC enabled websites.  I set up identity preferences as I have in the past, but I end up in an endless loop where Safari tells me that the web server will not accept my certificate, choose another.


The CAC-NG Tokend is not what is causing you heartburn for accessing PK-enabled websites....

Due to the unfortunate/varying configurations of DoD Web Servers, it requires the Identity Preference (IDPref).  Good news is that as of 10.6.0, you can create ONE Wildcard IDPref for your purposes and be done (for most if not all of your use cases).

Within the IDPref Panel:


This will resolve ANY server request....  say:





You can also look at the MAN page for 'security' for clarity as well. 

$ man security

Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wild-card character '*' as the leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity preference for the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise, a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil".

keep in mind that where a Wildcard may not be appropriate to resolve all of your sites, Mac OS X would of course continue to support multiple URL specific IDPrefs...

Try this and let us know how it goes for you...


Shawn Geddis       geddis at mac.com
Security Consulting Engineer    geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5686 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100204/42afef10/attachment-0001.bin>

More information about the SmartcardServices-Users mailing list