CAC on Firefox using Ubuntu 15.04

After a couple years away form CAC on Linux, it's time to revisit how to install a DOD CAC reader for Firefox under Ubuntu 15.10.

Very good instructions are on the Ubuntu Help pages. This guide clarifies a few vague elements, and reorganizes the information to help you troubleshoot.

There are five simple steps:

• Get an appropriate card reader
• Install the card reader software (pcsd)
• Test the card, reader, and software
• Install cackey
• Install the DOD certs and point Firefox to the card reader

The Firefox extension requires cackey, cackey requires pcsd, pcsd requires hardware to detect. We will follow best practice for Debian/Ubuntu and install the dependences first, in the right order.

Get A Card Reader

There's nothing to add here. The Ubuntu Help page says it all.

Install Card Reader Software

sudo apt-get install pcscd pcsc-tools

The key software you need is the pcsc daemon, and it's libpcsclite1 dependency. pcsc-tools is handy for testing the connection in the next step.

Test the card reader and software

Insert your CAC card and run:

pcsc_scan

As shown in the Ubuntu Help page, pcscd will clearly show you if your card reader and card are detected.

Install cackey

The cackey library provides access to the cryptographic and certificate functions of the CAC card.

1) You need to know if your Ubuntu system is a 32-bit or 64-bit install. Don't trust a sticker of what you remember - checking takes but a moment:

uname -i

If the result is 'i386' or similar, you are running a 32-bit system. Look for a download labeled 'i386'.
If the result is 'x86_64' or similar, you are running a 64-bit system. Look for a download labeled 'amd64'

2) There are two places to download the latest cackey package from:
https://software.forge.mil/sf/projects/community_cac (CAC required)
http://cackey.rkeene.org/fossil/home (non-CAC)

3) Download the latest cackey .deb package. Be sure to choose between 32/64 bit properly - the wrong package will happily install...but won't work.

4) Bug workaround for 64-bit only: Cackey tries to install to the /usr/lib64 directory, which probably doesn't exist on your system. Simply create it. This bug does not affect 32-bit users, who can safely ignore this entire paragraph.

5) Finally, install the downloaded cackey deb using the 'dpkg --install' command.


Example:
1) I'm running a 64-bit system.
3) I downloaded cackey_0.7.5-1_amd64.deb to my Downloads directory.
Then I installed the deb using:

sudo mkdir /usr/lib64        ## Step 4 - 64-bit bug workaround
sudo dpkg --install ~/Downloads/cackey_0.7.5-1_amd64.deb    ## Step 5

Install DOD Certificates and Point Firefox to the Card Reader

Happily, forge.mil has a Firefox add-on that does all this for you!

1) Simply download the latest 'dod_configuration-X.X.X.xpi' file from http://www.forge.mil/Resources-Firefox.html (non-CAC).

2) Quit Firefox

3) Double-click on the dod_configuration-X.X.X.xpi file you downloaded (it might be in your Downloads directory). Firefox will restart, and offer to install the add-on. Go ahead and install it.

Testing

Try your favorite CAC website (like AKO or OWA) and see if the site works, and if the site communicates properly with your card.

Be sure your USB card reader is snugly inserted, of course.

Start (or restart) Firefox after your CAC reader and card are inserted and recognized by the system. 

Using a US DOD CAC Card with Ubuntu 9.10

Superseded by http://cheesehead-techblog.blogspot.com/2015/10/cac-on-firefox-using-ubuntu-1504.html

Adding a CAC Card reader and using a CAC card with Ubuntu used to be bloody hard. Getting the hardware recognized, getting the add-ons to Firefox and Evolution, installing the certificates, what a pain!
Well, I tried agin, using the Ubuntu help center instructions at https://help.ubuntu.com/community/CommonAccessCard
Result: I can log into AKO using my CAC Card! After four years of hoping. Hooray!

Installing DOD CLASS 3 CA-7 security certificate into Firefox 3.0

Superseded by http://cheesehead-techblog.blogspot.com/2015/10/cac-on-firefox-using-ubuntu-1504.html

The US Army has a plethora of websites to keep it's mighty bureaucracy chugging along. Unfortunately, the security certificate they all require is not included in Firefox 3.0 (under Ubuntu 8.04). Here's how to get it and install it.
NOTE: The certificate is worthless to non-DOD people. It doesn't give you access, you still need an account. It's really boring, anyway, and none of the cool secret stuff is in these websites. All the certificate really does for most people is prevent the annoying message: This website has a certificate that I don't trust.

1. Download the following three files to the desktop:
   
   • http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_1024.p7b
   • http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b
   • http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b
   
   
   The easy way in linux is to use curl -O http://dodpki.c3pki.chamb.disa.mil/rel_dodroot_1024.p7b -O http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_1024.p7b -O http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b
   


2. Go to the Firefox Certificate Manager
   
   • Open Firefox
   • Edit Menu --> Preferences
   • Advanced settings
   • Encryption tab
   • View Certificates button


3. Import the three new certificates
   (Repeat for each certificate)
   
   • Authorities tab
   • Click the 'Import' button
   • Show firefox where the downloaded certificate is and click 'OK'


4. Fix a bug with the CLASS 3 CA-7 Certificate
   
   • In the Certificate Manager, Authorities Tab, scroll down to the new 'US Government' entries
   • Select DOD CLASS 3 CA-7, and click the 'Edit' button
   • Two of the certificate boxes should be checked. Check them if they are not:
     
     This certificate can identify web sites

This certificate can identify mail users


5. Whew. You're done. Close the windows, restart Firefox and test it.

Importing the same certificates to Evolution is a similar method.