June 24, 2009

DoD CAC Cards and Gentoo Linux

Because the only guide on setting up DoD CAC cards on Gentoo was lost after the Gentoo Wiki went out of commission (they are back now, less a bunch of articles), I decided to write a guide on how to get a good DoD CAC setup on your Gentoo system.

If you don't know what a CAC card is, Wikipedia has a good article on them here. It's basically an identification card for U.S. Department of Defense employees.

Software Installation

Alright, this is fairly simple. Here's what you will need:

sys-apps/pcsc-lite  USE="hal -static -usb"
app-crypt/coolkey USE="-debug"
app-crypt/ccid USE="-nousb -twinserial"

Make sure you emerge those packages with the USE flags shown above. Be aware that the hal and the usb USE flags for pcsc-lite conflict, so I recommend you enable hal and disable usb (even if you have a USB smart card reader, it will still work with HAL).

Now start the pcscd service.

/etc/init.d/pcscd start

Plugging in a CAC reader, as well as your smart card, should now be recognized. If you believe there's something wrong, you can start pcscd in debug mode from the terminal to see the output:

pcscd -d -f

Accessing CAC Enabled Websites w/ Firefox

You'll need to install a new security module under Firefox to complete this procedure. Go to "Edit" > "Preferences" > "Advanced" > "Encryption". That should bring you to this window:

Now click on "Security Devices". A new window will pop up. Select "Load" from that window and enter the information shown here:

Module Name: Anything You Want
Module Filename: /usr/lib64/pkcs11/libcoolkeypk11.so

Now click "OK". The new module that you named should now be listed. If your CAC reader is plugged in/enabled and your CAC card is inserted, you should be able to see your information underneath the module name.

Now, install some security certificates from this website by clicking each of the links:

http://dodpki.c3pki.chamb.disa.mil/rootca.html

You are now ready to login to CAC enabled websites!

Click Here!