CAC/Smart Card Authentication in Ubuntu Linux using a Dell SK-3205 Keyboard

Version Author Date Changes

1 Ian Evans 05/07/10 N/A

Additional Release Notes

This guide will has only been tested with Ubuntu release 9.04 or higher. This will also work for Linux Mint and other Debian releases as well.

Required Software

Ubuntu 9.04 or higher (x86 version)

Internet Connectivity for apt-get functionality

CAC or Smart Card

Mozilla Firefox 3.5 or higher

Mozilla Thunderbird 3 or higher

1) Install Ubuntu 9.04 or Linux Mint 8 and select desired configuration options. Since all of the distributions are Live-CD based, you will need to run the Installer from the desktop to install the distribution to your hard drive.

The download locations for these distribution are:

Ubuntu: http://releases.ubuntu.com/karmic/ubuntu-9.10-desktop-i386.iso

Linux Mint: http://ftp.heanet.ie/pub/linuxmint.com/stable/8/LinuxMint-8-Fluxbox.iso

2) Once you have rebooted and are now at your desktop, we need to carry out a couple configuration changes that will allow Ubuntu to download the required packages:

Edit the /etc/apt/sources.list file and add the Mozilla repositories (highlighted in red):

Update the system to reflect the new repositories:

# sudo apt-get update

Upgrade the packages. Just select “YES” to upgrade the system with all of them:

# sudo apt-get upgrade

Get the latest Thunderbird updates from the new repo's:

# sudo apt-get install thunderbird-mozilla-build

Install Coolkey, pcscd amd pcsc-tools (drivers and software that will interact with the CAC).

# sudo apt-get install coolkey pcscd pcsc-tools opensc openct build-essential

3) Alter the configuration files to load the appropriate driver for the CAC Reader.

Add the configuration into /etc/reader.conf. In this example, I am using the OpenCT driver. Be sure to comment out any drivers that do not relate to your configuration as it will cause problems when performing a scan for the correct device.

4) Perform a scan to see if the device is recognized:

Run a scan:

# pcsc_scan

Success! You can see the system recognized the GEMAL reader on the Dell keyboard.

5) Add Coolkey into Firefox and Thunderbird, followed by an import of the correct DoD CA's.

Add the Coolkey module into Firefox. Go into Preferences > Advanced > Encryption > Devices > Load and select libcoolkeypk11.so under: /usr/lib/pkcs11.

The module should now be loaded and you should see your CAC card:

Go into Preferences > Security and set a Master Password:

Enable FIPS if you would like to ensure all of your saved passwords are encrypted.

Download the DoD Root CA's:

http://dodpki.c3pki.chamb.disa.mil/rootca.html

Import the DoD Root CA's into Firefox by navigating to Preferences > Advanced > Encryption > View Certificates > Authorities > Import. Trust all when prompted.

Restart Firefox and try a CAC enabled site to ensure everything is working.

After entering your PIN, you should get a certificate selection window:

Success!

6) Configure the Thunderbird E-Mail client for use with the CAC.

Launch Thunderbird and setup your POP or IMAP account.

Go to: https://crl.chamb.disa.mil/ and download your E-Mail CA's.

Import DoD Root CA's into Thunderbird by navigating to Preferences > Advanced > Encryption > View Certificates > Authorities > Import.

Ensure your CAC is inserted and restart Thunderbird.

Navigate to Edit > Account Settings > Security and select your CAC certificate in both the Digital Signing and Encryption sections.

Now try to send an encrypted and signed email to yourself and see if you can decrypt it.

Open the message to verify:

Done.