[SmartcardServices-Users] Mountain Lion Login window

Shawn Geddis geddis at apple.com
Tue May 28 22:22:57 PDT 2013

On May 29, 2013, at 1:44 AM, "Jorgensen, Will A" <Will at pnnl.gov> wrote:
>> When I'm already logged in, the PIV card shows up in the keychain and the certificates show up as valid (I had to install some root certificates to get that).
> Question again on why you would need to install roots for certificates on a PIV card.  Is this a self-generated PIV Card with internal / test identities and not US Federal Government issued Identities ?  I ask because the System Root Keychain should already have the necessary CA Roots Certificates for proper trust validation and revocation checking for US Federal Government issued Identities.  If not, please let me know what was not there, so that I can correct that.
> Answer – They are DOE certificates issued by an Entrust Managed Services SSP CA which I didn't see in the system root keychain.  Looking at it further, I'm not sure I actually solved it anyway since the certificates in the PIV card show up as being signed by an untrusted user. 


Ahh, we may be at the heart of your problem.... If your PIV Certs show up as signed by an untrusted user that is the root cause of you not being able to log in with Attr Matching or PKINIT.  The PubKeyHash method does not do certificate status checking, but both Attr Matching and PKINT do verify that the certificate is trusted and valid prior to login.

You must resolve this first before being able move on.  Are the DOE issued certificates not resolved (Trust Path Validation) to the "Federal Common Policy CA" Root CA Certificate ?  Looking at the certificate I have for you at @pnnl.gov it is signed using a "Department of Energy", "Pacific Northwest National Laboratory" Root CA Certificate.  You need to specifically mark that Root CA Cert as trusted on your system (since it is not in System Roots and trusted) and then any certificate signed by it will appear as valid if all else is correct with the certificate.

Launch Keychain Access (KA)
Select "Certificates" in the Category (lower left corner)
Enter "Department of Energy" in the Search Field (upper right corner)
Double-click the Certificate "Department of Energy" with Serial Number "998328652" to open it
Click the 'disclosure' triangle in front of the word 'Trust' in the certificate's window
Select Always Trust
Provide your Admin Account PW and the Trust will be set to Always Trust that Root

Now go back to setting up Login.

The unfortunate point to note is that many of the DOE labs have Root CA Certs issued by an Entrust Managed Services SSP CA that resolves to the DOE Root CA and not the "Federal Common Policy CA" which Apple includes in the Trusted Root Store.
Let me see if we need to look into including the DOE Root CA Cert in the System Roots.  That would have solved your problem to begin with.  Federal PKI directs only trusting the "Federal Common Policy CA", but let me see what I can do.

- Shawn
Shawn Geddis				  			          geddis at me.com
Enterprise Security Consulting Engineer, Apple     geddis at apple.com

MacOSForge: Smart Card Services  Project Lead:                                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130529/87c8c330/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4418 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130529/87c8c330/attachment.p7s>

More information about the SmartcardServices-Users mailing list