[SmartcardServices-Users] Odd Keychain CAC and Certificate behavior

Peter Walsh peter.walsh at jackpinetech.com
Thu Aug 16 11:29:23 PDT 2018 

Our team has been seeing some very odd behavior with certs & CACs over the past few months that we can not resolve. We operate a DoD site with PKI auth so we are constantly testing and consuming using various configs. Multiple users have had this problem.

The config in question is
	macOS 10.13.5 and 10.13.6
	Centrify Express for Smart Card 5.4.2 (542668)
	Chrome (latest) & Safari (latest)
	Oberthur and G&D Smart Cards

Cert Behaviors
===========
1) The server side SSL cert come up as untrusted because Keychain Access.app traces it up thru a intermediate DoD Root to the Fed Bridge root, not the correct path to the DoD Root CA 3 (this root CA is in keychain Access.app and explicitly trusted). It is like Keychain Access.app is matching on name rather than cert. Not sure how we get to this state but the only resolution is to reboot the system. It has occurred with multiple sites. At one point I was able to open two sessions to the same site and in a side by side windows show each resolving the cert thru a different path. (picture attached, not sure if it will make it on the mail list.)


CAC Behaviors
============
2) User successfully authenticates to the site with their CAC. After ~20-30 seconds on a page, when he clicks on a link, he is asked to enter his PIN to unlock his CAC again. This continues during the entire session. While the is happening, if he opens Keychain Access.app, the CAC shows as locked. 

3) User unlocks CAC in Keychain Access.app, launches the browser, then tries to authenticate to the site. The browser just hangs until the CAC is removed from the reader, then the slider will appear to select from the other soft certs on the system (e.g. ECA). 

4) Insert CAC into reader while Keychain Access.app is open and it never appears. This is different from past behavior of Keychain Access.app. 
	4a) Quit Keychain Access.app, reinsert CAC. The CAC appears on the left as a keychain but nothing appears on the right; clicking the lock prompts for PIN but doesn’t actually unlock. Browser does not see any cert; removing CAC from reader allows the browser slider to appear and see the other soft certs on the system. 


Thanks for any input. We are going to try some other middleware but otherwise not sure of options.

Peter Walsh
Jackpine Technologies Corp.
peter.walsh at jackpinetech.com
c. 617/816-6001




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20180816/14659bc9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 426462 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20180816/14659bc9/attachment-0001.png>

More information about the SmartcardServices-Users mailing list