[SmartcardServices-Users] JITC CAC card gets " An untrusted certificate authority was detected while processing the smart card certificate used for authentication" login error...

Sat May 1 14:20:39 PDT 2010

Hi Shawn,

    I wanted to close this thread. As soon as I get the correct URL from DISA to download and install the latest root certs to my CA host, everything's back to normal. I don't need touch anything on the Mac side. Thanks for the help from you and all the forum people who responded. Cheers.

PSK

On 4/8/10 7:20 AM, "Paul Kwan" <paul.kwan at centrify.com> wrote:

Hi Shawn,

    The odd part of this is that I have this working since last May with the Mac and Windows. Now both don't work with the same error. I am sure I didn't have to do the security command before. I'll try this next on the Mac. Thanks.

PSK

On 4/8/10 1:41 AM, "Shawn A. Geddis" <geddis at mac.com> wrote:

Paul,

Note that the Root Cert "DoD JITC Root CA 2" is not part of the "System Root" (immutable Root Store) and hence would require that you enable trust for that Root CA - Mac OS X requires administrative trust set for Anchors not pre-shipped by Apple.  To be more accurate, you can set the Trust Anchor to be any Cert within the Trust Path, since Mac OS X support a multi-tiered Trust Model.

You can accomplish this via the CLI security command or of course via the GUI of Keychain Access.

security add-trusted-cert [<options>] [certFile]

Usage: add-trusted-cert  [<options>] [certFile]
    -d                  Add to admin cert store; default is user
    -r resultType       resultType = trustRoot|trustAsRoot|deny|unspecified;
                             default is trustRoot
    -p policy           Specify policy constraint (ssl, smime, codeSign, IPSec, iChat,
                              basic, swUpdate, pkgSign, pkinitClient, pkinitServer, eap)
    -a appPath          Specify application constraint
    -s policyString     Specify policy-specific string
    -e allowedError    Specify allowed error (certExpired, hostnameMismatch) or integer
    -u keyUsage         Specify key usage, an integer
    -k keychain         Specify keychain to which cert is added
    -i settingsFileIn   Input trust settings file; default is user domain
    -o settingsFileOut  Output trust settings file; default is user domain
    -D                  Add default setting instead of per-cert setting
    certFile            Certificate(s)

When you click on and view the certificates in Keychain Access, the Status of the Certificate is displayed in the header area.  If it is as I suspect, you will see "This certificate was signed by an untrusted issuer".

-Shawn

__________________________________________________
Shawn Geddis      geddis at mac.com
Security Consulting Engineer    geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo
__________________________________________________

On Apr 6, 2010, at 9:23 AM, Paul Kwan wrote:

Hi All,

    I posted this message in the Fed-Talk forum accidentally. I should post it here. Here's my message:

    I have a test JITC CAC card that worked on Mac and Windows workstations since May last year. Now I got the following error when trying to login again:

    1) From the Windows login screen, it pops up this error message:

The system could not log you on. An untrusted certificate authority was detected while processing the smart card certificate used for authentication

   2) On the Mac, secure.log shows similar error message complaining on "An untrusted CA..."

    The JITC CAC card is valid until next year. And the DoD certs on AD are also valid:

        2.1) "DOD OM CA-20": Valid from 8/3/2007 to 8/1/2013
        2.2) "DOD OM EMAIL CA-20": Valid from 8/2/2007 to 4/1/2013
        2.3) "DoD JITC Root CA 2": Valid from 7/14/2005 to 7/2/2030

    3) I can access and download the CRL files without any problem:

         3.1) http://crl.nit.disa.mil/getcrl?DoD JITC Root CA 2
        3.2) http://crl.nit.disa.mil/getcrl?DOD OM CA-20
        3.3) http://crl.nit.disa.mil/getcrl?DOD OM EMAIL CA-20

    Does anybody out there see the similar problem? How can I fix this so that my test JITC CAC card works again? Thanks for the help in advance.

PSK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100501/72565e69/attachment.html>