LINUX SUPPORT PAGE
Linux support provided by Nathan Wolf
The following is a guide to assist in setting up your Linux computer to access CAC-enabled DoD websites from the general to the specific.
The Linux CAC Reader stack is based on a set of middleware called PCSC (Personal Computer Smart Card), written by the MUSCLE (Movement for the Use of Smart Cards in a Linux Environment) project.
pcsc-lite - PCSC Smart Cards Library
pcsc-ccid - generic USB CCID (Chip/Smart Card Interface Devices) driver
Note: Depending on your card reader you may need to install other drivers
perl-pcsc - Abstraction layer to smart card readers
pcsc-tools - Optional but highly recommended, these tools are used to test a PCSC driver, card and reader
The naming of this package / library name varies from one distribution to another depending on the package maintainer. For example if you want to find the pcsc-lite package, enter into the search engine of your choice:
pcsc lite yourdisribution
Replace yourdisribution with openSUSE, Fedora or Ubuntu; whatever you are running
The original module to read PKCS #11 keys was 'Coolkey' which has been replaced by the currently required module 'CACkey', available from DISA's Linux development site: https://community.forge.mil/content-cac
NOTE: A computer with working CAC authentication is required for the download.
Forge.mil hosts both CACkey and the DoD Configuration extension, but it also needs CAC authentication to download the packages. Easiest may be to download all on a CAC enabled computer and then transfer to the Linux machine via thumb drive. From forge.mil download:
· The latest version of CACkey
· The latest version of the DoD Configuration extension for Firefox
Recommend these be stored on AKO Cloud, Dropbox, Google Drive, portable media, or other location to ensure continued access.
Firefox requires a plug-in and some tweaking.
The plug-in is the aforementioned DoD Configuration extension for Firefox obtained from DISA
Once installed it may need configuring:
· Select from the menu, Tools > Add-ons
· Once the Add-ons page is loaded, Select Extensions > DOD Configuration [version] and click Preferences.
· Click the certificate buttons to update the certificate cache with the necessary DOD certificates, then click Redetect Smart Card Reader.
· If it fails to find the reader all is not lost--go to https://www.us.army.mil or some other CAC-required site and give it a try--it often works.
If the CAC Module is not working:
· Select from the menu, Edit > Preferences > Advanced > Encryption > Security Devices
· Check the left column. It should show an entry similar to "CAC Module" along with certificate(s) as a sub-item. If it doesn't work then the entries are wrong.
· Select the entry and select Unload to remove the security device
◦ To install / reinstall the CAC driver in Firefox using the above listed Security Devices
· Select Load on the dialog box
· Module name should be something like: DoD CAC
· Module filename: either type in or browse to the location of the libcackey.so drivers
files will be located under either:
OpenJDK is not compatible with DBSign. You will have to install Java from Oracle. This varies from distribution to distribution.
See below for distribution specific information.
Available for Linux by visiting the DoD Class 3 PKI page on DISA.mil
Some older links, that "may" help you:
There's a Firefox plug-in that allows you to digitally sign Gmail messages with a digital certificate from your CAC in the web interface:https://addons.mozilla.org/en-US/firefox/addon/592
Linux Debian "Etch" using GemPlus
Another Soldier used Ubuntu 8.04 (Hardy Heron) with Mozilla's Thunderbird for email. He used Coolkey to get the CAC reader working with Firefox, then loaded Coolkeys pkcs module into Thunderbird.
Another Ubuntu forums website where you can read about configuration / utilization of your CAC.
Using Linux with your CAC links on Google
If you have questions or suggestions for this site, contact Michael J. Danberry
Are you interested in subscribing to the CACNews email list?
Last Update or Review: Tuesday, 17 February 2015 09:58 hrs
The following domain
names all resolve to the same website: ChiefsCACSite.com,
The following domain names all resolve to the same website: ChiefsCACSite.com, CommonAccessCard.us, CommonAccessCard.info, & ChiefGeek.us