Firefox and the Common Access Card (CAC)

I meant to report for anyone else who wants to do this that I managed to get the SSP / Litronics NetSignCAC middleware to work with Firefox and Mozilla. ‘CAC’ is an acronym for the Common Access Card, and it’s the ID card for all Department of Defense personnel (both military and civilian). It’s a smartcard made by Schlumberger that stores DoD-issued x509 certificates that can be used for all the regular things that x509 certs are for: signing email, authenticating to web sites, etc.

The frustration was that using the CAC requires some ‘middleware’ that enables the client application (i.e. the web browser) to extract the certificates from the card. There’s an industry-standard API for this called PKCS #11, and SSP has built middleware that implements it for the CAC. My IT support folks loaded the appropriate middleware, but it only worked with Internet Explorer.

So, to load the middleware with Firefox or Mozilla, I stumbled around for quite some time trying to use the ‘Manage Security Devices’ tab under the preferences dialog. That didn’t work. What worked was bringing up the page file:///C:/Program%20Files/SSP%20Solutions/NetSign%20CAC/CryptoInstall.htm, which the contained some magic that the browser needed to install the middleware. Poof!

Alas, that wasn’t enough. Once I’d done that, Firefox would pop up a dialog requesting the PIN for my CAC, but I still couldn’t authenticate to web sites that require a client certificate. The problem, I believe, is bug 154246 and bug 154255 in Mozilla/Firefox Network Security Services; it can pull a client cert from a smartcard, but doesn’t pull the entire chain. Until this has a better solution, the workaround was to explicitly load my certificate authorities into Firefox. I did this by sending myself a signed email, examining the certs on the email, exporting my Root CA and Intermediate CA certs, and then importing those into Firefox as trusted CAs. Viola! I can use my CAC with Firefox.