After a lot of discussion with a helpful tech at Apple, and a lot of trial and error, I restored partial CAC functionality to my Mac running 10.5.4 and Safari 3.1.2. I am now able to get into my webmail at the Pentagon, but am not yet able to log into AF Portal using the CAC option - but I think I can with a little more troubleshooting.
Bottom Line Up Front (BLUF): You need to activate the X509 Anchors, then create an Identity Preference in your login keychain using your CAC, before you will be able to log into webmail.
This is a work-around technique, which allows you to get to your webmail. The CAC functionality is restored to the level I had in 10.5.2, but does not 'fix' Safari. The tech at Apple promised to take this information back to the Safari developers and try to really solve the problem, namely that Safari does not seem to look for the CAC keychain without being told to allow specific urls.
Background: The CAC reader was working fine. A CAC is a keychain of certificates and keys. These show up in 'Keychain Access'. If you have issues with the CAC reader working, google 'CAC on a Mac', and several links will discuss flashing the CAC reader, etc. This technique assumes your CAC reader is working and reading your CAC just fine.
I also had to erase my hard drive in order to get Safari upgraded to the latest version. I have no idea why this was necessary, but it could have been a problem with my hard drive. If your software versions upgraded properly to the latest ones (10.5.4 and Safari 3.1.2), then continue below. Otherwise, I recommend you solve those problems first.
1. Open 'Keychain Access'. (For troubleshooting purposes, I suggest dragging an image of Keychain Access into the dock so you can get to it faster.)
2. Make sure the keychain entitled 'X509 Anchors' is in your keychain list. If it is not, look for it through Keychain Access by going through File/Add Keychain. The X509 Anchors are in Finder/(Your HD)/Library/Keychains. If you can't add the X509 Anchor keychain through Keychain Access, then go to the file itself, copy it, and paste the copy into Finder/(Home folder)/Library/Keychains.
3. Enable the X509 Anchors through 'Keychain Access'. Go to Keychain Access/Edit/Keychain List, then check the box for X509 Anchors under 'User' and 'Mac OS X System'.
4. Connect your CAC reader, and insert your card. The card should appear as a keychain on the left-hand side, with a name like 'CAC-1234-5678-9123-4567-XYZ3' or some such. Select this keychain in the left-had side window.
5. Immediately under the stoplight buttons, click on the padlock icon to unlock the CAC keychain. You should be prompted for your password - this is your CAC password, not your computer's password.
6. You should see three certificates and three private keys. Select one of the certificates and right-click (CTRL-click) over it - then select 'Get info' from the menu. Two of the certificates and two of the keys have the word 'e-mail' in the 'Issued By' section of the Info window, and one does not. Find the one that does not have 'E-mail' in the 'Issued By' section. It should be named something like 'DOD CLASS 3 CA-5'.
7. Close the info window. Go back and single-click this certificate in Keychain Access, then right-click on it again, and select 'New Identity Preference' from the menu. The prompt next requires you type the EXACT url address of the website you need to access, then select 'Add'. (In my case, it was https://webmail.hq.af.mil/Exchange). This builds a preference in your 'login' keychain.
8. As a precaution, reset Safari, then type in the same url into the address window, and hit return. This should allow you access to the website from which you can see/send webmail. You can also bookmark this address once you are where you want to be, so in future you can just insert your CAC, click the bookmark, type in your CAC password, and get your webmail.
That's it. Good luck, fellow DOD Mac enthusiasts.
Bottom Line Up Front (BLUF): You need to activate the X509 Anchors, then create an Identity Preference in your login keychain using your CAC, before you will be able to log into webmail.
This is a work-around technique, which allows you to get to your webmail. The CAC functionality is restored to the level I had in 10.5.2, but does not 'fix' Safari. The tech at Apple promised to take this information back to the Safari developers and try to really solve the problem, namely that Safari does not seem to look for the CAC keychain without being told to allow specific urls.
Background: The CAC reader was working fine. A CAC is a keychain of certificates and keys. These show up in 'Keychain Access'. If you have issues with the CAC reader working, google 'CAC on a Mac', and several links will discuss flashing the CAC reader, etc. This technique assumes your CAC reader is working and reading your CAC just fine.
I also had to erase my hard drive in order to get Safari upgraded to the latest version. I have no idea why this was necessary, but it could have been a problem with my hard drive. If your software versions upgraded properly to the latest ones (10.5.4 and Safari 3.1.2), then continue below. Otherwise, I recommend you solve those problems first.
1. Open 'Keychain Access'. (For troubleshooting purposes, I suggest dragging an image of Keychain Access into the dock so you can get to it faster.)
2. Make sure the keychain entitled 'X509 Anchors' is in your keychain list. If it is not, look for it through Keychain Access by going through File/Add Keychain. The X509 Anchors are in Finder/(Your HD)/Library/Keychains. If you can't add the X509 Anchor keychain through Keychain Access, then go to the file itself, copy it, and paste the copy into Finder/(Home folder)/Library/Keychains.
3. Enable the X509 Anchors through 'Keychain Access'. Go to Keychain Access/Edit/Keychain List, then check the box for X509 Anchors under 'User' and 'Mac OS X System'.
4. Connect your CAC reader, and insert your card. The card should appear as a keychain on the left-hand side, with a name like 'CAC-1234-5678-9123-4567-XYZ3' or some such. Select this keychain in the left-had side window.
5. Immediately under the stoplight buttons, click on the padlock icon to unlock the CAC keychain. You should be prompted for your password - this is your CAC password, not your computer's password.
6. You should see three certificates and three private keys. Select one of the certificates and right-click (CTRL-click) over it - then select 'Get info' from the menu. Two of the certificates and two of the keys have the word 'e-mail' in the 'Issued By' section of the Info window, and one does not. Find the one that does not have 'E-mail' in the 'Issued By' section. It should be named something like 'DOD CLASS 3 CA-5'.
7. Close the info window. Go back and single-click this certificate in Keychain Access, then right-click on it again, and select 'New Identity Preference' from the menu. The prompt next requires you type the EXACT url address of the website you need to access, then select 'Add'. (In my case, it was https://webmail.hq.af.mil/Exchange). This builds a preference in your 'login' keychain.
8. As a precaution, reset Safari, then type in the same url into the address window, and hit return. This should allow you access to the website from which you can see/send webmail. You can also bookmark this address once you are where you want to be, so in future you can just insert your CAC, click the bookmark, type in your CAC password, and get your webmail.
That's it. Good luck, fellow DOD Mac enthusiasts.
- Centrify Express for Smart Card is a complimentary version of the same enterprise-hardened Centrify Smart Card technology used in federal agencies that require authentication for CAC, CAC NG, and PIV smart cards.
- For portable CAC readers with tried and tested Mac compatibility, our top pick is the RT-SCR3 from Rocketek. The 4.5 average review score over a large number of reviews is.
PKard ® for Mac replaces the native macOS PKI solution to provide users with a solid product with full, free, U.S. Based support. It is the same commercial code used by the Pentagon, all six DoD services, White House, NIH, and DOI across tens of thousands of Mac users since the mid-2000s.
From SCM Microsystems: Update your SmartCardReader USB drivers for model SCR3310.How To Install Cac Reader For Mac
SCM's SCR3310 and SCR3310v2.0 are small and ergonomic USB smart card readers, with backside mounting holes. The readers are ISO 7816 compliant, and can be used for cards in ID 1 card format.
Cac Reader For Macbook Pro
This installer contains PC/SC driver and CT-API library and can be used for SCR531 USB, SCR331 CCID, SCR333, SCR335, SCR355, SCR338, SCR3310, SCR3311, SCR3320, SCR3340, @MAXX Family and SCT3511
SCR331 and SCR531 users note that only readers that have CCID firmware are supported. Readers that have firmware Rev 2.0 and above are CCID. This driver may also be used with the following third party products: Goldtouch ErgoSecure SC 2.0 keyboard, Datakey DKR830. If the host is running Windows 98 SE or Windows Me, ensure that Microsoft Smart Card Base Components are installed on the host before atempting to install the drivers.