{"id":1175,"date":"2004-12-09T04:39:38","date_gmt":"2004-12-09T14:39:38","guid":{"rendered":"https:\/\/risacher.org\/jfdi\/?p=1175"},"modified":"2013-11-11T20:56:27","modified_gmt":"2013-11-12T01:56:27","slug":"20041209-0-3","status":"publish","type":"post","link":"https:\/\/risacher.org\/jfdi\/2004\/12\/20041209-0-3\/","title":{"rendered":"Firefox and the Common Access Card (CAC)"},"content":{"rendered":"

The frustration was that using the CAC requires some ‘middleware’ that enables the client application (i.e. the web browser) to extract the certificates from the card. There’s an industry-standard API for this called PKCS #11, and SSP has built middleware that implements it for the CAC. My IT support folks loaded the appropriate middleware, but it only worked with Internet Explorer.<\/p>\n

So, to load the middleware with Firefox or Mozilla, I stumbled around for quite some time trying to use the ‘Manage Security Devices’ tab under the preferences dialog. That didn’t work. What worked was bringing up the page file:\/\/\/C:\/Program%20Files\/SSP%20Solutions\/NetSign%20CAC\/CryptoInstall.htm<\/a>, which the contained some magic that the browser needed to install the middleware. Poof!<\/p>\n

Alas, that wasn’t enough. Once I’d done that, Firefox would pop up a dialog requesting the PIN for my CAC, but I still couldn’t authenticate to web sites that require a client certificate. The problem, I believe, is bug 154246<\/a> and bug 154255<\/a> in Mozilla\/Firefox Network Security Services; it can pull a client cert from a smartcard, but doesn’t pull the entire chain. Until this has a better solution, the workaround was to explicitly load my certificate authorities into Firefox. I did this by sending myself a signed email, examining the certs on the email, exporting my Root CA and Intermediate CA certs, and then importing those into Firefox as trusted CAs. Viola! I can use my CAC with Firefox.<\/p>\n

<\/body><\/p>\n","protected":false},"excerpt":{"rendered":"