No Client Certificate Presented For Af Portal On Mac

Introduction

The steps for configuring Client side SSL (CSSL) for a SecureAuth appliance setup to validate CAC or PIV Cards

The error, 'Valid client certificate is required' while accessing the portal address displays when the browser is unable to fetch the certificate to present it to the portal for authentication. Is your CAC reader Mac friendly? Visit the USB Readers page to verify the CAC reader you have is. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Mac client certificate, such as Mac Client Certificate. Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN.

  • Download root/intermediate DOD certificates.
  • Install certificates as administrator.
  • Verify installation of certificates into local computers cert store (not users)

Installing DOD Certificates

When SecureAuth prompts for a CAC or PIV certificate your webserver is actually matching the client side SSL certificates with the certificates that are installed on your SecureAuth appliance. In order to check these client side certificates we need to install the root and intermediate certificates on the appliance. If you have a specific set of root and intermediate certificates you can install them, if you do not this is the process to install the DOD root and intermediate certificates on the SecureAuth appliance.

1. Open the browser on the server and navigate tomilitarycac.com's download section HERE

2. Download'InstallRoot 3.13.1a from MilitaryCAC'


3. You might be prompted to add militarycac.com to your trusted sites to complete the download

4. Click 'Open' so that the file automatically launches


5. Right-click 'InstallRoot_v3.13.1A' and select 'Run as administrator'

6. At the security warning click 'Yes'

7. Accept the security warning if prompted

Verify the DOD Certificates were properly installed

1. Click the start menu/SecureAuth/Tools and select 'Certificates Console'

2. Navigate to 'Trusted Root Certification Authorities' and ensure you have the DOD Root CA certificate installed

3. Navigate to 'Intermediate Certificate Authorities' and ensure the intermediate certs are there

No Client Certificate Presented For Af Portal On Mac Os

Here are the steps on how to install a CAC Reader for Mac:
  1. Ensure your CAC reader works with Mac
  2. Check to ensure your Mac accepts the reader
  3. Check your Mac OS version
  4. Check your CAC’s version
  5. Update your DOD certificates
  6. Guidance for Firefox Users
  7. Look at graphs to see which CAC enabler to use

Step 1: Purchase a Mac Friendly CAC Reader

Purchase a CAC reader that works for your Mac. There are only a couple that you can choose from and I’ve listed them below.

If you already have a CAC reader and it isn’t Mac friendly, you could update the firmware, however, for the non-tech savvy people out there, it’s probably better to just purchase a new one and save the headache – they’re only ~$11-13 dollars.

Best Mac Compatible CAC USB Readers

Best Mac Compatible CAC Desk Readers

Step 2: Plug in and Ensure It’s Accepted

Once you have your CAC reader, plug it into your Mac and ensure your computer recognizes it. If you have one of the CAC readers we suggested above, then you should be good to go.

If for some reason your CAC reader isn’t working, you may need to download the appropriate drivers for your CAC reader. You can find these drivers on the Reader’s Manufacturer Website.

Step 3: Update Your DOD Certificates

Now that you have your CAC reader connected and accepted on your Mac computer, it’s time to ensure you have the right certificates in order to access DOD CAC required web pages.

Procedure for Chrome and Safari

  1. Type ⇧⌘U (Shift + Command + U) to access your Utilities
  2. Find and Double click “Keychain Access”
  3. Select “Login” and “All Items”
  4. Download the following five files and double click each once downloaded so as to install in your Keychain Access.
  5. When you double-click the Mac Root Cert 3 and 4, you’ll need to tell your browser to always trust them. Click the button like you see below:

Additional Steps for Firefox

If you’re using Mozilla Firefox as your primary browser, you’re going to need to perform some additional steps. First, perform the same steps that you did for Chrome and Safari. Afterwards, follow these additional steps to get started.

  1. Download All Certs zip and double click to unzip all 39 files
  2. While in Firefox, click “Firefox” on the top left, then “Preferences”
  3. Then Click “Advanced” > “Certificates” > “View Certificates”
  4. Then Click “Authorities” and then “Import”
  5. Import each file individually from the “AllCerts” folder. When you do this, the below box will popup. Check all three boxes and click “OK”

Step 4: Download and install CAC Enabler

Choosing the right CAC enabler can be pretty tricky. It all depends on what OS you have installed, how you installed it, and even what kind of CAC Card you have!

In order to get the right enabler, be sure to visit our trusty guide to Mac CAC Enablers! It’ll walk you through exactly which enabler is right for you.

CAC Access at Home Success

Now that you have a CAC reader, certificates, and a CAC Enabler, you should now be able to access any CAC-enabled website and log on using your CAC password and data.

Common Reasons Why Your CAC Card Won’t Work On Your Mac

Client

Ensure Your CAC Card Meets the Standards: In order for your CAC card to work, it must meet the minimal requirements. Currently, there are only four types of CAC cards that can be used. The ensure you have the right CAC card for online access, flip your CAC card to the back and if you have one of the below numbers written on the top left, then you are good to go:

  • G&D FIPS 201 SCE 3.2
  • Oberthur ID one 128 v5.5 Dual
  • GEMALTO DLGX4-A 144
  • GEMALTO TOP DL GX4 144

No Client Certificate Presented For Af Portal On Mac Download

If you do not have any of the above written on the back, then proceed to your nearest PSD to get a new CAC card issued.