This page explains how to use your Common Access Card (CAC) PKI certificates with Debian. The information below is specific to CACs. See Smartcards for general smart card information with Debian. The intent for this page is to maintain a modern (as of October 2019) and secure solution to using CACs in Debian.

Firefox

1. Install CoolKey

$ sudo apt install coolkey

Note: OpenSC does not work well with some DoD websites like DTS.

2. Add the PKCS#11 module in Firefox.

Go to: Menu > Preferences > Privacy & Security > Security - Certificates - Security Devices button > Load button.

Module name: CoolKey PKCS#11 Module

Module filename: /usr/lib/pkcs11/libcoolkeypk11.so

3. Download the DoD Root Certificates and extract them from the ZIP archive.

https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_v5-6_dod.zip

4. In Firefox, open the Privacy & Security settings and press the View Certificates button.

Go to: Menu > Preferences > Privacy & Security > View Certificates

5. Import the "Certificates_PKCS7_v5.6_DoD.der.p7b" certificates bundle file.

Go to: Certificate Manager > Authorities tab > Import button and select the file.

If prompted "Do you want to trust DoD Root CA X for" identifying websites and email users, check both boxes ONLY for DoD Root CAs.

Note: Firefox only seems to successfully import all certificates with DER bundles.

6. Edit trusts for the DoD Root CAs.

Scroll down to "U.S. Government" and select each DoD Root CA, press the Edit Trust button, and check:

For only and all the DoD Root CAs:

Trust will be chained to all the other subordinate certificates issued by these Root CAs, so you do not need to change the trusts for any intermediate CAs or end entity certificates.

This will remove all "Warning: Potential Security Risk Ahead" (SEC_ERROR_UNKNOWN_ISSUER) HTTPS connection warnings. If you still receive these warnings when visiting a DoD website, check that all DoD Root CAs are installed, and they are all trusted to identify websites.

7. Test your DoD PKI login.

Try logging into the CAC only https://cyber.mil website. It may prompt for a certificate several times as it redirects to several pages.