Settingupyourcac for Useon Yourmacintosh(Visually)

Updated on 18 June 2010

SettingupyourCAC for useon yourMacintosh(Visually):

Step1:Updateyoursystem. (10.5.6is theminimumrequired forLeopard,though

10.5.8is currentlyavailableforLeopard, and10.6.4is available forSnowLeopard)

Step2:PluginyourCACReadertoan availableUSB Port

Step3:Click theApple Iconin theupperleftcornerofyourdesktop andselect "About

This Mac"

1

Step4:Click the "MoreInfo"Buttonwithin thewindowthat pops up.(Thisopens

SystemProfiler)

Step5:Withinthe"Hardware"Category select"USB."On theright sideofthe screen thewindow willdisplay all hardwarepluggedintotheUSBportsonyourMac. Youshouldsee“SmartCardReader.” IftheSmartCardreaderis present,itisinstalled onyoursystem, and no furtherhardwarechanges arerequired,i.e.additionaldrivers/ Firmware upgrades.You can now QuitSystem Profiler.

2

Step6:Click:Go,Applications,scroll down to: Utilities, click the little triangle to open it up, double clickKeychainAccess"

Step7:Insert your CAC into the CAC Reader. Inthe upperleftoftheKeychainAccess window, under"Keychains"yourCAC shouldshowup(CAC XXXX-XXXX-XXXX-XXXX- XXXX),clickit.In the rightsideyouwill see thecertificates thatare onyourCAC. (IfyourCAC does notappear removeitfromthereader,unplugtheReader, quit, andre-openKeychainsAccess,plugin theCardReader,andinsertyourCAC)

Step8:Click the "Padlock"iconinthe upperleftcorneroftheprogramwindow,which willpromptyou foryourCAC PIN. EnteryourPIN to unlockyourCAC.

Step9:Selectthedesiredcertificate,whichwillshowDOD CA-XXorDOD EMAILCA- XXin theupperwindow. RightClick(ControlClick)andselect"NewIdentity Preference"

Step10:EntertheURL/website(choosefromthe belowlinks)fortheappropriate websiteyouwishto accessusingyourCAC,selecttheappropriatecertificateandclick “Add”:

Step 10a: I was unable to save the email certificate for my OWA (it kept defaulting back to the non-email certificate)

3

Step 10b: I copied the email certificate(s) from the CAC...2-75E4 section.

Step 10c: I first verified it was the email certificate before pasting it into the login section

Step 10d: I pasted the above email certificate(s) into the login screen section of Keychain Access. I had 2 for some reason, so, I copy and pasted both of them.

Step11:QuitKeychainAccess(andApplications (ifitis stillopen)), removeyourCAC fromthereader,andre-insertit. OpenSafariand beginnavigating toyourCAC enabledsite.

4

ExamplesofURLstoaddtoyourKeychainAccess

Army:

- AKO: (DOD CA-XX)

- AKOWebmail: (DOD CA-XX)

- FortGordonOWA(NASEEmailAccess): CA-XX)

- Army ReserveOWA(USAR EmailAccess):

XX)

- CenterforArmy Lessons Learned(CALL):

CA-XX)

- CONUS AMEDDExchangeOWA:

(EMAILCA-XX)

- NationalGuardKnowledge Online: CA-XX)

- NORAD NORTHCOMCAC RegistrationSite: CA-XX)

- NORAD NORTHCOMExternalAccess Site:

(DOD CA_XX)

- SoldierSurveySite:

Navy:

- NavyKnowledgeOnline(1 of2): (DOD CA-XX)

- NavyKnowledgeOnline(2 of2):

(DOD CA-XX)

- NavyWebmail: (DOD CA-XX)

- ReservePortal: (DOD CA-XX)

- NADSUSEA(NavyEastOWA):

- NADSUSWE(NavyWestOWA):

- NADSUSEANCISCOI(NavyNCISOWA): CA-XX)

- NMCI-ISF (NavyISFOWA):

- PADS(NavyPADSOWA):

- PADS(NavyPACOMSMR Users OWA):

(EMAILCA-XX)

- IATSNMCIWebmail (1of 3):

- IATSNMCIWebmail (2of 3):

- IATSNMCIWebmail (3of 3):

- MarineCorpsWebmail:

- NavyInfoSec:

- NavyMedical(1of 3): CA-XX)

- NavyMedical(2of 3): CA-XX)

- NavyMedical(3of 3): CA-XX)

- NavyMedicalOutlookWebAccess:

- JTF-GNO:

- BUPERS: CA-XX)

5

- NSIPS(1 of 2); CA-XX)

- NSIPS(2 of 2): CA-XX)

- NROWS: CA-XX)

- NavyReservePortal (1 of2): (DOD CA-XX)

- NavyReservePortal (2 of2):

(DOD CA-XX)

AirForce:(There arecurrentlyissues with theAFPortal,theissuesarebeing addressed andupdates willbe posted herewhen available)

- AFPortal (1 of3): CA-XX)

- AFPortal (2 of3): CA-XX)

- AFPortal (3 of3): CA-XX)

- AirForcePortalVirtualMPFSite: CA-XX)

- AirForceTopFliteWebsite: CA-XX)

- AirForceJagSite: CA-XX)

- AirForceEducationExchange:

- AFAMC Exchange Email:

Coast Guard:

- CoastGuardEmail: CA-XX)

DoD:

- DefenseManpowerDataCenter: CA-XX)

- DOD 411Directory:

- Tricare Online: CA-XX)

- Tricare(1 of3):

- Tricare(2 of3):

- Tricare(2 of3):

- Military HealthSystem: CA-XX)

NoteonURL’s:Itisimportanttounderstand thatwhen enteringURL’sintoanidentity preference they must be precise. As youcanseein theprecedingreferences some endwitha“/”.Notallwebsites willhave this. Every website that attemptstovalidate yourCAC mustsearcha database(Usuallyinternaltothesite)andtheURLyou enter is creatingthelink between that databaseandyourCAC. As thereis notasingle databasethatallsitesuse forthis purposeyouwillencountersites that donotfunction properlyinitially. Ifyou pay attentionto theactionsofthebrowserwhenyouclick the loginbuttonyouwillusually seewhere thebrowseris beingpointedandcan use that URLinyourIdentityPreference. Forthemostpartyouwillnot need toreferencea specific site,i.e.endingin.htmletc, butinstead thewill use the broad address as above.

NoteonCertificateSelection:Whencreating IdentityPreferences withinKeychainsit isimportanttounderstand thedifferencebetweenyourCertificates. Iwillnotgointo

6

greatdetailas tothedifferences here howeverIwill giveyoutheinformationyouneed toknow. Thereare3certificates onyourCAC:

-DOD CA-XX, used foridentificationverification,is thetopmostcertificateshownin Keychains.This willbeusedwhenloggingintoAKO. This willshowupwithared“x” besideitamajority ofthetime as “Unsigned”.

-DOD CA-XXEMAIL, used forsignatures,isthesecondin thelistofcertificatesin the list.This certificateis usedwhenyoudigitallysignan email, ordocument, and by some websites forverificationofyouridentity,i.e.OutlookWebAccess.Whenloggingintoa non-AKOsitekeepinmind thatwhatevercertificateyou usedwhenloggingon atyour work computerwillberequiredonyour MAC.

-DOD CA-XXEMAIL, used forencryption,isthe thirdinthelistofcertificates. This will not be usedwhenaccessingwebsites, and unless you areaccustomed to encrypting youremail, will not beused atall.

Whencreating IdentityPreferencestherewillbesome trialand errorinvolvedin selecting thecorrectURL/Certificatecombination. Ifyoucreate anIdentityPreference and attempttochangethecertificateituses youmay seemore than3certificates when you openthedrop downmenu as below,they are groupedinto theirrespectiveclasses, thefirstpair being theDOD CA-XX,secondpairEMAILCA-XX(Signature)andthe third pairEMAILCA-XX (Encryption). ChooseeitherofthefirsttwoifyouwanttheDOD CA- XXandso forth.Theypointto thesamecertificate.

This shouldsetyouup toaccess sites that are authenticatedwithyourCAC. Pleaselet meknowhowthis works outforyouandwhatissues you have. Onceagainifyou have additionalsites you have foundsolutionsforpleaseletmeknowandIwill includethem inthelist onthis page. Ifyoustill havequestions,feelfree tocontactmebyvisiting:

Currentasof:18 June 2010

WrittenbyCPTBill Hankins,RevisedbyCW3Michael J.Danberrywhilefollowing theinstructionsonmy owniBookG4 & MacBook Mac laptops.

7