Download the 5 files via links below (you may need to click, select Download Linked File As. On each link) Save to your downloads folder Please know. IF You have any DoD certificates already located in your keychain access, you will need to delete them prior to running the AllCerts.p7b file below. Download the CAC-NG (BETA v0.95) TOKEND file from Mac OS FORGE.org Restart your computer then proceed. INFORMATION: This build supports the Gemalto TOPDLGX4 144 cards, but. Support the Oberthur ID One 128 v5.5 Dual card. The Mac OS relies heavily on the information you put in the Keychain. When you're installing the various DOD certificates into the Keychain, you're essentially telling the Mac OS how it should handle the certificate and any certificates issued by that server. Of the various DOD certs, the most important will be the DOD Root certs. On a Mac computer, DoD root certificates go up to CA 26 only. If you have CA between 27 and 32, you have to install CAs 27-32 and CA emails 27-32. Download the file here. After extracting the zip file, go to the extracted folder, double click each certificate to install them on your system. About Knight Frakes. Chain Certificate: Entrust Certificate Authority - LIK (Non-EV SSL) Entrust Certificate Authority - LIM (EV SSL) Test My Browser Download Cross Certificate for Ll K Cross Certificate for Ll M Entrust Certificate Authority - Ll K Entrust Certificate Authority - Ll M.
There is a lot of information out in the wild about how you can get your CAC to work on your Mac, and all the certificates you need to have installed in your Keychain in order to do so. My goal in this forum entry is to clarify and help you understand what it is you're doing with these certificates and why.NOTE: If you wish to start with a Keychain free of any dod certificates, search your login and system keychains for any DOD Root, DOD ID, DOD ID SW, and DOD EMAIL certificates, then delete them.
The Mac OS relies heavily on the information you put in the Keychain. When you're installing the various DOD certificates into the Keychain, you're essentially telling the Mac OS how it should handle the certificate and any certificates issued by that server. Of the various DOD certs, the most important will be the DOD Root certs. A root certificate is the top-most certificate of the tree, which means all other certificates further down the tree depend on the trustworthiness of the root. As long as you have the correct DOD Root CA certs installed, trusted, and don't have any duplicates, the rest of the various DOD certs shouldn't show any issues of validation in your Keychain. This has become even more important since macOS High Sierra was released. I have seen situations where users do not get prompted to select a certificate or enter their PIN, or only see a 'com.apple.idms....' certificate in the selection window. My best conclusion is that the Keychain is unable to determine the validity of the CAC certificates, and therefore do not allow you to select them for authentication.
Now let's get started by adding the DoD Root CA certs into your Keychain. Use the following links to download the certificates, and then drag them into your 'System' Keychain:
https://militarycac.com/maccerts/RootCert2.cer
http://militarycac.com/maccerts/RootCert3.cer
http://militarycac.com/maccerts/RootCert4.cer
http://militarycac.com/maccerts/RootCert5.cer
Once they are in your Keychain, they will most likely have a red x next to them. Open each certificate individually, tap the arrow next to the Trust Settings, click the first drop down menu and select Always Trust, then close the Window and enter your Mac password when prompted. If you have any DOD Root CA certificates with blue around the border of the certificate icon, delete those as well. Once you have done this to all of your DOD Root certs, they should look like this:
- DOD Root Certs
- Screen Shot 2017-12-12 at 7.37.22 AM.png (27.06 KiB) Viewed 65849 times
- Trusted Intermediate
- Screen Shot 2017-12-12 at 8.28.57 AM.png (24.64 KiB) Viewed 65849 times
- DOD Certs
- Screen Shot 2017-12-12 at 8.30.03 AM.png (424.3 KiB) Viewed 65849 times
Military Certs For Mac
If there any questions, corrections, or anything that needs further clarification, please let me know in the comments below.-Michael
Recently, I wanted to read about the NSA’s Commercial National Security Algorithm (or CNSA) Suite, which is their replacement to the Suite B algorithms. The web site for the CNSA Suite is https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm, but if you go there now on a Mac, you’ll probably get a security warning. The reason is, this web site uses a certificate issued by the DoD, and I didn’t have them installed. How did I get them installed? Read on!
The web site I want to visit uses a cert ultimately coming from the DoD Root CA 3.
To be sure I’m going to the right place, I needed to securely download the DoD’s roots, and then trust the appropriate one. This is not the easiest thing in the world, because alot of the sites which have the DoD roots are either non-Government sites (which I don’t want to trust), or are Government sites that use the DoD CA (which makes trusting them a catch-22).
The NSA’s web site has this text:
Please visit the Information Assurance Support Environment (IASE) site to download the DoD Root CA Certificates. Select the Trust Store tab and choose the latest InstallRoot: NIPR Windows Installer.
This points you in the right direction, but not to the exactly-right thing (for one thing, I’m not running Windows). You do need to browse to https://iase.disa.mil/pki-pke/Pages/tools.aspx, but what you’re actually looking for is called PKI CA Certificate Bundles: PKCS#7.
Download the “For DoD PKI Only” ZIP file (as of publication, the version number is 5.3). You’ll end up with a folder containing eight files. Four of the files contain the phrase “Root_CA”, and end with “.p7b”. Those are the four files we will be needing.
To install the certs, you’ll be using the Keychain Access application, which is an application that lives in the Utilities folder (which lives in the Applications area). Launch it, and go to your “login” keychain.
The “login” keychain is the one for your specific account, and the “Certificates” category shows all the certificates that you have added (or which have been added for you).
Next, double-click on each of the four .p7b files that we identified above. Or, drag the four .p7b files into the Keychain Access program. You’ll see your certificates list EXPLODE with DoD certs!
Wow that’s a lot of certs!
The four certs that we want are named “DoD Root CA” followed by a number (2, 3, 4, or 5). The other certs are intermediate certs; Safari does not need them, so you should delete all of the “DOD EMAIL”, “DOD ID SW”, and “DOD SW” certs. Once you delete those, your list will be much smaller!
Now, macOS (and Safari) has the CA certs, but the certs are still not trusted. This is a good thing; if you are concerned about trusting a US Government CA, well, right now you aren’t. You can turn trust on and off whenever you want.
To enable trust, double-click on the appropriate CA, expand the Trust section, and choose how you want to trust the CA. Since I’m using Safari, I am changing the SSL entry to “Always Trust”.
Download Dod Certificates For Mac Pro
When you close the window, you’ll be asked for your password, and then your changes will be saved. You’ll also know that you did it correctly when Keychain Access says that the CA is trusted.
The red X has disappeared from the DoD Root CA 3.
You can now browse to the web site (in Safari or Chrome), and no warnings should appear. Once you are done, you can go back into Keychain Access and remove the trust settings.
Good luck!
