There is a lot of information out in the wild about how you can get your CAC to work on your Mac, and all the certificates you need to have installed in your Keychain in order to do so. My goal in this forum entry is to clarify and help you understand what it is you're doing with these certificates and why.
The Mac OS relies heavily on the information you put in the Keychain. When you're installing the various DOD certificates into the Keychain, you're essentially telling the Mac OS how it should handle the certificate and any certificates issued by that server. Of the various DOD certs, the most important will be the DOD Root certs. A root certificate is the top-most certificate of the tree, which means all other certificates further down the tree depend on the trustworthiness of the root. As long as you have the correct DOD Root CA certs installed, trusted, and don't have any duplicates, the rest of the various DOD certs shouldn't show any issues of validation in your Keychain. This has become even more important since macOS High Sierra was released. I have seen situations where users do not get prompted to select a certificate or enter their PIN, or only see a 'com.apple.idms....' certificate in the selection window. My best conclusion is that the Keychain is unable to determine the validity of the CAC certificates, and therefore do not allow you to select them for authentication.
Now let's get started by adding the DoD Root CA certs into your Keychain. Use the following links to download the certificates, and then drag them into your 'System' Keychain:
https://militarycac.com/maccerts/RootCert2.cer
http://militarycac.com/maccerts/RootCert3.cer
http://militarycac.com/maccerts/RootCert5.cer
Once they are in your Keychain, they will most likely have a red x next to them. Open each certificate individually, tap the arrow next to the Trust Settings, click the first drop down menu and select Always Trust, then close the Window and enter your Mac password when prompted. If you have any DOD Root CA certificates with blue around the border of the certificate icon, delete those as well. Once you have done this to all of your DOD Root certs, they should look like this:
You can now use https://militarycac.com/maccerts/AllCerts.p7b to download the remainder of the DOD certificates. This one file contains several DOD ID, DOD ID SW, and DOD EMAIL certificates. This one file can also be dragged into your System Keychain. Seeing that we trusted the root certs in the previous step, there is no need to manually trust these certs, and you can confirm this by selecting a certificate and viewing the certificate summary at the top of the window. You should see a green dot with a check and text that says 'This certificate is valid':
When everything is finished, your Keychain should look similar to mine:
If there any questions, corrections, or anything that needs further clarification, please let me know in the comments below.
-Michael
When connecting to various online services, your Mac will use certificates to validate a connection. If a certificate being used for a connection is expired or invalid, then OS X will notify you of this when attempting to use it, and offer you the choice of continuing with the connection, inspecting the certificate, or canceling the connection. In any case, updating your DoD is called for. On a Mac computer, DoD root certificates go up to CA 26 only. If you have CA between 27 and 32, you have to install CAs 27-32 and CA emails 27-32.
Only do this for the DoD Root CA certificates. Before changing When using this certificate: After changing When using this certificate: Close the windows and provide authentication, either password or fingerprint if you have that configured. Once you trust the four DoD Root CA certificates, the icons should now be white + in a light blue circle. DoD Class 3 PKI Download Root CA Certificate Trusting the DOD SSL Certificates - Welcome to the NPS Wiki - NPS. OPTION 2 - Download and install the DOD Root Certificates (Windows, Mac, Linux) By importing and trusting the root DOD certificates (4 of them) you will be able to use any. Re: Fed-Talk Root Cert on MacBookPro Question - Apple. Step 3: Update Your DOD Certificates. Now that you have your CAC reader connected and accepted on your Mac computer, it’s time to ensure you have the right certificates in order to access DOD CAC required web pages. If you are using Chrome or Safari, then follow step 3a below. If you are using Firefox, you’ll need to do some extra steps.
Dod Root Certificates For Mac
NOTE: If you wish to start with a Keychain free of any dod certificates, search your login and system keychains for any DOD Root, DOD ID, DOD ID SW, and DOD EMAIL certificates, then delete them.The Mac OS relies heavily on the information you put in the Keychain. When you're installing the various DOD certificates into the Keychain, you're essentially telling the Mac OS how it should handle the certificate and any certificates issued by that server. Of the various DOD certs, the most important will be the DOD Root certs. A root certificate is the top-most certificate of the tree, which means all other certificates further down the tree depend on the trustworthiness of the root. As long as you have the correct DOD Root CA certs installed, trusted, and don't have any duplicates, the rest of the various DOD certs shouldn't show any issues of validation in your Keychain. This has become even more important since macOS High Sierra was released. I have seen situations where users do not get prompted to select a certificate or enter their PIN, or only see a 'com.apple.idms....' certificate in the selection window. My best conclusion is that the Keychain is unable to determine the validity of the CAC certificates, and therefore do not allow you to select them for authentication.
Now let's get started by adding the DoD Root CA certs into your Keychain. Use the following links to download the certificates, and then drag them into your 'System' Keychain:
https://militarycac.com/maccerts/RootCert2.cer
http://militarycac.com/maccerts/RootCert3.cer
http://militarycac.com/maccerts/RootCert4.cer
http://militarycac.com/maccerts/RootCert5.cer
Once they are in your Keychain, they will most likely have a red x next to them. Open each certificate individually, tap the arrow next to the Trust Settings, click the first drop down menu and select Always Trust, then close the Window and enter your Mac password when prompted. If you have any DOD Root CA certificates with blue around the border of the certificate icon, delete those as well. Once you have done this to all of your DOD Root certs, they should look like this:
Install Dod Root Certificates
- DOD Root Certs
- Screen Shot 2017-12-12 at 7.37.22 AM.png (27.06 KiB) Viewed 41164 times
- Trusted Intermediate
- Screen Shot 2017-12-12 at 8.28.57 AM.png (24.64 KiB) Viewed 41164 times
Disa Dod Certificate Download
- DOD Certs
- Screen Shot 2017-12-12 at 8.30.03 AM.png (424.3 KiB) Viewed 41164 times
-Michael