As there are a few of us out there in the world who are employees of the US Government, as well as being Linux geeks, we sometimes need to access a government site from our Linux box. With the relatively recent switch over to PIV certificates, what we had set up broke, and must be rebuilt.
First off, thanks to Nathan Wolf and Michael Danberry over at militarycac.com for including us Linux geeks, and making sure there’s a section for us. It’s an excellent website that I always reference when I have any hiccups. Also, thanks to John’s post at his Tech Blog. It helped point me in the right direction.
John’s post is geared towards those using Ubuntu, a great distro, and he specifies using the synaptic package manager in a GUI. I’m using Manjaro these days, and I’m trying to use the command line as much as possible, so I didn’t want to do that. Fortunately, John organized his post well, and I was able to get all the info I needed.
| Package | Version |
|---|---|
coolkey | 1.1.0_36-2 |
pcsc-perl | 1.4.14-11 |
pcsc-tools | 1.5.6-1 |
pcsclite | 1.9.0-1 |
Pamac is a great tool with both a command line interface, as well as a GUI built in GTK and Qt, for whichever framework you’re running. For the command line, you’ll need to input the following command:
$ sudo pamac install coolkey pcsc-perl pcsc-tools pcsclite
As of this writing, coolkey is only available from the AUR, so pamac will ask if that’s OK.
Once those are finished installing, you’ll need to download this file from the Linux page on militarycac. It’s a collection of all the certificate potentially needed for CaC use. Once you’ve downloaded the zip file, pop back over to the command line and input:
$ unzip <name-of-zipped-certs-file>.zip
Now, it’s time to grab a beverage, open up Firefox, and get ready for a bit of tedium.
Head over to the settings page for Firefox, and head down to Privacy & Security. Scroll all the way down to Certificates:
This is where the tedium starts. Click on “View Certificates”, and a new window will pop up. For each certificate you’ll have to click “Import”, choose the certificate file, click both check boxes in the new window, and hit OK. There is no bulk add that I could find, sad to say. If anyone knows of a way, please let me know, I’ve got a few other Linux boxes I might need to do this to.
OK, now that all the certs have finally been imported, we can make sure there’s a device that Firefox can see. Click on “Security Devices”, and a new window will pop up.
Click “Load”, give the new device a nice descriptive name (I went with “DODCAC”, as you can see), and in the “Module filename” text box, point it to:/usr/lib/pkcs11/libcoolkeypk11.so
Click OK, and you’re done. You shouldn’t have to restart Firefox or your computer. I was immediately able to go to a CaC-accessible website and sign in. Hope this helps!
That’s the thing about people who think they hate computers. What they really hate is lousy programmers.
― Larry Niven
Niels Huisman 