CAC Reader / Smart Card Reader. The IOGEAR GSR202 is a TAA compliant USB Common Access Card Reader for military, government and even private sector workers who need everyday access to. Dec 12, 2017 - The Mac OS relies heavily on the information you put in the Keychain. You can now use to.
There is a lot of information out in the wild about how you can get your CAC to work on your Mac, and all the certificates you need to have installed in your Keychain in order to do so. My goal in this forum entry is to clarify and help you understand what it is you're doing with these certificates and why.NOTE: If you wish to start with a Keychain free of any dod certificates, search your login and system keychains for any DOD Root, DOD ID, DOD ID SW, and DOD EMAIL certificates, then delete them.
The Mac OS relies heavily on the information you put in the Keychain. When you're installing the various DOD certificates into the Keychain, you're essentially telling the Mac OS how it should handle the certificate and any certificates issued by that server. Of the various DOD certs, the most important will be the DOD Root certs. A root certificate is the top-most certificate of the tree, which means all other certificates further down the tree depend on the trustworthiness of the root. As long as you have the correct DOD Root CA certs installed, trusted, and don't have any duplicates, the rest of the various DOD certs shouldn't show any issues of validation in your Keychain. This has become even more important since macOS High Sierra was released. I have seen situations where users do not get prompted to select a certificate or enter their PIN, or only see a 'com.apple.idms....' certificate in the selection window. My best conclusion is that the Keychain is unable to determine the validity of the CAC certificates, and therefore do not allow you to select them for authentication.
Now let's get started by adding the DoD Root CA certs into your Keychain. Use the following links to download the certificates, and then drag them into your 'System' Keychain:
https://militarycac.org/maccerts/RootCert2.cer
http://militarycac.com/maccerts/RootCert3.cer
http://militarycac.com/maccerts/RootCert4.cer
http://militarycac.com/maccerts/RootCert5.cer
Once they are in your Keychain, they will most likely have a red x next to them. Open each certificate individually, tap the arrow next to the Trust Settings, click the first drop down menu and select Always Trust, then close the Window and enter your Mac password when prompted. If you have any DOD Root CA certificates with blue around the border of the certificate icon, delete those as well. Once you have done this to all of your DOD Root certs, they should look like this:
- DOD Root Certs
- Screen Shot 2017-12-12 at 7.37.22 AM.png (27.06 KiB) Viewed 13697 times
- Trusted Intermediate
- Screen Shot 2017-12-12 at 8.28.57 AM.png (24.64 KiB) Viewed 13697 times
- DOD Certs
- Screen Shot 2017-12-12 at 8.30.03 AM.png (424.3 KiB) Viewed 13697 times
-Michael
- Ensure your CAC reader works with Mac
- Check to ensure your Mac accepts the reader
- Check your Mac OS version
- Check your CAC’s version
- Update your DOD certificates
- Guidance for Firefox Users
- Look at graphs to see which CAC enabler to use
Step 1: Purchase a Mac Friendly CAC Reader
Purchase a CAC reader that works for your Mac. There are only a couple that you can choose from and I’ve listed them below.
If you already have a CAC reader and it isn’t Mac friendly, you could update the firmware, however, for the non-tech savvy people out there, it’s probably better to just purchase a new one and save the headache – they’re only ~$11-13 dollars.
Best Mac Compatible CAC USB Readers
Name | Review | Price | Driver |
---|---|---|---|
Rocketek RT-SCR3 | 4.5 | $ 38.99 | Driver |
Rocketek RT-SCR10 | 4.2 | $ 42.99 | Driver |
Best Mac Compatible CAC Desk Readers
Name | Review | Price | Driver |
---|---|---|---|
Saicoo V1 | 4.4 | $29.99 | Driver |
Saicoo V2 | 4.4 | $35.99 | Driver |
Stanley Global SGT111 | 4.1 | $49.99 | Driver |
Step 2: Plug in and Ensure It’s Accepted
Once you have your CAC reader, plug it into your Mac and ensure your computer recognizes it. If you have one of the CAC readers we suggested above, then you should be good to go.
If you are testing a different version, then verify that your Mac accepts your CAC reader by following these steps.
If for some reason your CAC reader isn’t working, then try the following steps.
Step 3: Update Your DOD Certificates
Now that you have your CAC reader connected and accepted on your Mac computer, it’s time to ensure you have the right certificates in order to access DOD CAC required web pages.
If you are using Chrome or Safari, then follow step 3a below. If you are using Firefox, you’ll need to do some extra steps:
- Type ⇧⌘U (Shift + Command + U) to access your Utilities
- Find and Double click “Keychain Access”
- Select “Login” and “All Items”
- Download the following four files and double click each once downloaded so as to install in your Keychain Access.
- When you double-click the Mac Root Cert 3 and 4, you’ll need to tell your browser to always trust them. Click the button like you see below:
Additional Steps for Firefox
- Download All Certs zip and double click to unzip all 39 files
- While in Firefox, click “Firefox” on the top left, then “Preferences”
- Then Click “Advanced” > “Certificates” > “View Certificates”
- Then Click “Authorities” and then “Import”
- Import each file individually from the “AllCerts” folder. When you do this, the below box will popup. Check all three boxes and click “OK”
Step 4: Download and install CAC Enabler
- Download zip
- Double click the .zip file
- Because this is from an unidentified developer, you’ll need to hold down “Control” and click the program. Now select open and continue with install procedure.
- After installing, restart your computer
CAC Access at Home Success
Now that you have a CAC reader, certificates, and a CAC Enabler, you should now be able to access any CAC-enabled website and log on using your CAC password and data.
Common Reasons Why Your CAC Card Won’t Work On Your Mac
Ensure Your CAC Card Meets the Standards: In order for your CAC card to work, it must meet the minimal requirements. Currently, there are only four types of CAC cards that can be used. The ensure you have the right CAC card for online access, flip your CAC card to the back and if you have one of the below numbers written on the top left, then you are good to go:
- G&D FIPS 201 SCE 3.2
- Oberthur ID one 128 v5.5 Dual
- GEMALTO DLGX4-A 144
- GEMALTO TOP DL GX4 144
If you do not have any of the above written on the back, then proceed to your nearest PSD to get a new CAC card issued.