08 August 2014

Using a PIV card on Fedora and Firefox

Personal Identity Verification (PIV) cards are used where I work as part of a standard 2-factor authentication system that is used to log into your PC and all agency web applications. These are effectively the same as the Common Access Cards (CAC) used by the Department of Defence.

I wanted to be able to use this card from my home workstation running Fedora to access work web sites without having to cart home my work laptop. I could not find any single set of explicit instructions on the web to do this so I thought I would document the steps I followed. These steps were greatly informed by this post: https://help.ubuntu.com/community/CommonAccessCard.

At a high level the process requires you to (a) identify the certificate used on your PIV card for web site authentication, (b) to export all intermediate and root certificates for that authentication certificate and add them to Firefox so that it can validate the authentication certificate, (c) configure your Fedora system and Firefox to recognize the card reader and process the PIV card. 

The basic steps I followed are:

  1. Install necessary RPMs (as of this date):  opensc-0.13.0-5.fc20.x86_64, pcsc-tools-1.4.17-8.fc20.x86_64. There may be others but these are key.
  2. Get a supported card reader. Sometime ago I bought an OmniKey 3121 which works. A more current list of supported readers can be found at http://pcsclite.alioth.debian.org/ccid/section.html
  3. I used Internet Explorer on my work computer to export the root authority and intermediate certificates for the authentication certificate on my PIV. See http://forge.mil/downloads/How_to_add_CAC_reader_to_Firefox.pdf (pdf; new window) for good instructions. The root certificate will not necessarily be the same as the links above display, but the procedure for finding these certificates is simple. In IE 11, select Internet Options | Content | Certificates | Personal. Then use the Intended Purpose drop down just above the tabs to select Authentication. This will reduce the list to one or two certs. The instructions on the PDF can be followed to extract and export the necessary root and intermediate certificates.
  4. Transfer the exported certificates to your Fedora computer. Start Firefox and follow the instructions in http://forge.mil/downloads/How_to_add_CAC_reader_to_Firefox.pdf to import them into Firefox.
  5. Configure Firefox to recognize the card reader. Firefox Preferences | Advanced | Certificates | Security Devices. Click on Load to open a dialog box with a title of "Load PKCS#11 Module". Enter any name in the Module Name field (eg Lincpass). In the Module filename field browse to and select /usr/lib64/pkcs11/opensc-pkcs11.so. Save and close out of Preferences. Prior to selecting opensc-pkcs11.so I tried to use the corresponding coolkey library but, while it recognized the card reader, would not read the card.
  6. Close Firefox completely.
  7. Insert card in reader and validate that the card can be recognized by using pcsc_scan.
  8. Open Firefox and open a PIV card protected web site. Click the link for authenticating with the PIV card. Firefox will prompt for the card pin if everything is working and you should have access to the site.

References
https://help.ubuntu.com/community/CommonAccessCard
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)