DOD CAC Card on Ubuntu Linux

So, you are a government employee AND a Linux geek.  Join the club.  It is possible to use your smart card to access DOD CAC Card enabled sites.   A must do project for the Linux geek in you.

 

I’m doing this with an IOGEAR GSR202 and it will work with a lot of other CAC Card readers as well.  Also I’m using Ubuntu 18.04

First of all the information is taken from this excellent website.  While almost perfect there are a few minor issues that could foul a fella up.  I seek to clarify those here.

First lets download the Certs for your browser.  They also come from the page I have linked above (MilitaryCAC.com).  Download here.  Hold tight.  We’ll get back to them.

Now we need to install some programs called pcscd and coolkey.  The easiest way to do this and grab dependencies is with Synaptic.  If you don’t have it, install it.

sudo apt-get install synaptic

Now open it as super user once it is installed.

sudo synaptic

In the search field type “pcsc”  Everything that installs with it should have a check mark in it or green if it is already installed. Just for fun I put a check in pcsc tools as well.   Then hit apply to install.

Now do the same for Coolkey.  It will tell you to add the two dependencies listed below it.  Do that and hit apply to install.

Now open Firefox and go to “Preferences > Privacy And Security” and Click “View Certificates”  Click the “Import” button and individually import each of those Certs you downloaded at the beginning of this.  Click both “Trust” boxes before you import for each one.  I’m not sure you have to click both boxes for all of them but it is the safe play.  Have fun.  This will take a while.

Once all the Certs are imported (I know you hated that part) now click on the box in the pic above that says “Security Devices”.  We now need to load the Coolkey module.  Click the “Load” button in the pic below.

Now name your Module DODCAC or something like that and set the path to /usr/lib/pkcs11 and select coolkeypk11.so and then hit okay.

You should now be able to visit CAC Card enabled sites on FIREFOX browser only at this point.

26 thoughts on “DOD CAC Card on Ubuntu Linux

  1. James Grow

    I attempted to import the certificates. However, I received the following error each time:

    “This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.”

    I used both the link you provided and the Military CAC specific link, but neither worked. Any help in getting this resolved would be appreciated.

    Reply
      1. tko

        After you click on “View Certificates”, click on the “Authorities” tab and then import. The error happens when you try to import from the first “Your certificates” tab.

        Reply
  2. Harry Pits

    When I go to add coolkey to the security devices I get a warning stating “unable to load module”. Downloaded all the necessary packages, have the latest version of firefox, and the package is in the correct directory. Help please?

    Reply
    1. TJ

      I had this issue too. I uninstalled all of the packages, mentioned, rebooted, and re-installed everything. I did not install “pcsc-tools” this time around. After reinstalling the packages, firefox accepted the coolkeypk11.so file and loaded the module. Hope this helps!

      Reply
  3. Ricky Cartner

    Wow, I’ve CAC enabled a few linux machines and followed at least 4 different instructions and this was by far the easiest to follow. MilitaryCAC has great information but as you said, is sometime difficult to follow. Screenshots were a plus along with the used of the Synaptic GUI.

    Reply
    1. Vovchyk

      Oh, nevermind. I was using my email cert instead of my signing cert. Works now. Great instructions, thanks! This is actually worlds easier than it ever was on my Mac.

      Reply
  4. MikeD

    Thanks so much for the great walkthrough. Got this going in 2 minutes plus the time to load the certs 🙂
    I really appreciate it and looking forward to reading more on your blog. Seems like we have similar interests.

    Reply
  5. melonstube

    Site contains CACkey in order to allow Firefox to access teh CAC through the reader (Please remember this link needs to be accessed from an already CAC enabled computer)

    Reply
  6. Todd Bissell

    FYI: the module in question is now named “/usr/lib/pkcs11/libcoolkeypk11.so”.

    Great article, thanks for posting this!

    Reply
  7. S.Yee

    Using ubuntu 16.04. Both Firefox and Chrome are not able to pick up the PIV ID Cert from my CAC , but both browsers can see my other 3 certs, namely the CAC ID, Email Signature, and Email Encryption. Anyone know how to get PIV ID Cert to be select-able from the browser authentication prompt when access certain DoD sites that require the PIV ID Cert instead of the basic CAC ID Cert?

    Reply
    1. N@t3D0g

      I also do not see the PIV certs in the options to select. Guess we’ll see what happens as my org transitions soon to PIV for sign in. If anyone finds a way to make these visible then I would love to know!

      Reply
    2. Michael

      Unfortunately CoolKey will not access the PIV certificate. In order to use PIV, you will need to uninstall CoolKey and use either CACkey or OpenSC. Both work for me quite well, but the module you will need to load is no longer “libcoolkeypk11.so”. On my Ubuntu 19.10 box with OpenSC the module I needed to load is “/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so”

      Reply
      1. andrew

        Thank-you so very much for the update! My wife is a V/A behavioral health nurse and trying to wfh as much as possible now w/ covid-19. The card reader was the last piece of the puzzle to have her up and running on our Linux systems.

        Reply
        1. Pete

          Michael,
          I wanted to echo Andrew’s thanks. Tons of searching and trying; following your steps got me into EE.

          Thanks!
          Pete

          Reply
  8. N@t3D0g

    You sir are amazing. Simple to do and worked flawlessly for Firefox.
    A couple of things worthwhile to have on this page (also on MilitaryCAC’s linux page or Ubuntu’s community page on CAC, but adding in a comment so all in one place):
    1) In terminal run the application pcsc-scan (I think this comes with pcsc-tools) to see the status of your card reader, if it gives you a “Card state:” of any sort you should be good to go, if it keeps searching, you may have an issue with the reader you are using

    $ pcsc-scan

    2) For Chrome/Chromium setup on Ubuntu distro (I’m running elementaryOS 5.1/Ubuntu 18.04 for context), after you complete the steps her for Firefox and get that working:
    a) Install libnss3-tools (if not already installed)

    $ sudo apt-get install libnss3-tools

    b) Close Chrome/Chromium if open (I would just close all web browsers to be safe, based on the warning you get in terminal for the next step)
    c) With CAC inserted into CAC reader, ensure in /home and add “CAC Module” pkcs11 library

    $ cd ~ $ modutil -dbdir sql:.pki/nssdb/ -add “CAC Module” -libfile /usr/lib/pkcs11/libcoolkeypk11.so

    d) You should get a message saying ‘Module “CAC Module” added to database.’ You can also test if added using the following command:

    $ modutil -dbdir sql:.pki/nssdb/ -list

    Output should have at least 2 entries with first being “NSS Internal PKCS #11 Module” and the second being “CAC Module” where your name should appear in the token (LASTNAME.FIRSTNAME.MIDDLENAME.######; where ###### are first 6 digits of your DOD ID number)

    e) Test out Chrome/Chromium and see if it works!
    I got this working on Chrome and tested in webmail and aim 2.0 with success. The only question I have now is if there is a way to get S/MIME control in Firefox or Chrome/Chromium so I don’t have to figure out how to get Internet Explorer going in linux to send/receive encrypted emails…

    Reply
  9. Rob S

    I got as far as loading the CoolKey module. After clicking “Security Devices”, I noticed that my “DODCAC” is not listed in the Device Manager window. The reader is a USB SCR 3310 and the drivers are already loaded.
    I didn’t use CACKey. The link appears to be broken.

    Any ideas as what might be wrong?

    Reply
  10. Michael S

    When using the above method, I get a screen that asks for my “Master Password”. I enter my pin and on the next page I get to select the certificate to use. The problem is the correct certificate is not offered: I have a choice between a CA49 and CA51. I know I need a CA52 but it doesn’t give me the option to select it.

    How can I force it to give me that choice?

    Reply
  11. Timothy Cook

    During the install of OpenSC and all the packages it depends on I receive the below prompt. Does anyone have helpful steps for this?

    “OpenDNSSEC requires manual configuration before the signer and enforcer daemons can be started.”

    “One of these configuration steps consists of installing and configuring a Hardware Security Module (HSM) that will handle the cryptographic key operations. Most people will want to use the software HSM implementation provided by the recommended softhsm2 package, but other options are possible.”

    “The file /etc/opendnssec/prevent-startup is created during fresh installations and prevents the daemons from being automatically started. You should remove this file and start the daemons once you have configured OpenDNSSEC.”

    Reply
  12. Walter Johnson

    Made it all the way to the last step and can’t load the libcoolkeypk11.so it keeps saying, “Unable to add module”
    Anyone have a solution for this. Frustrating to make it to the last step and not get finished.

    Reply

Leave a Reply to Zachary Cancel reply

Your email address will not be published. Required fields are marked *