Certificates

Certificates

CONS3RT sites supporting government users (e.g HmC) requires the use of PKI certificate credentials for authentication. These can include:

The 6 sections below cover most common user questions regarding certificates.

  1. How to Register with a Certificate
  2. Obtaining an ECA Certificate
  3. Logging in to HmC with a Certificate
  4. Adding a New Certificate or CAC to your account
  5. Managing your Account Certificates
  6. Troubleshooting Certificate issues

If you can’t answer your question by perusing this KB, please feel free to submit a support ticket to support@cons3rt.com

1. How to Register with a Certificate


Register your CAC or ECA Certificate

  1. Ensure your CAC or ECA cert is loaded into your browser
  2. Navigate to the HmC site or the CONS3RT site
  3. Select the certificate that you would like to register, and enter the CAC PIN or ECA passphrase as needed. Note: Any of the CAC certs will work.
  4. Click OK after the Notice and Consent Page
  5. Click the Register button in the top-right, and follow the instructions.
  6. You should receive an email with additional instructions for getting your HmC account approved

2. Obtaining an ECA Certificate


HmC requires to use of a PKI credential. Users without a Common Access Card (CAC) can can authenticate using External Certificate Authority (ECA) certificates. Using ECA Certificates has many benefits:

  • Convenient site access using your browser or mobile device
  • Convenient method for making ReST API calls

Info on Obtaining an ECA certificate

The software-based Medium Assurance ECA Certificate is the best solution for most contractors, developers and testers. An ECA Medium Assurance Software Certificate or the ECA Medium Token Assurance stored on a separate Smart Card or USB Token can also be used. For machine-to-machine API connections, ECA Medium Assurance TLS/SSL is required.

DoD External and Federal PKI Interoperability

If your agency or employer is part of the DoD External and Federal PKI Interoperability program, those credentials can also be used in HmC:

Add an ECA Certificate to your CONS3RT Account

Follow the steps in #4 below to add the ECA cert to your account

3. Logging into HmC with a Certificate


HmC uses certificate-based authentication only. There is no username/password access to HmC.

Logging in to HmC

  1. First an foremost, ensure your certificate is loaded into your browser
  • If using a CAC, ensure you have the proper middleware installed, and your CAC is inserted into your CAC reader
  • If using an ECA certificate, ensure the certificate has been imported into your browser
  1. Navigate to the HmC site URL https://hmc.hpc.mil
  2. You will be prompted to select a certificate. Select the same certificate you used to register for an account
  3. Click Agree at the Notice and Consent page
  4. Click the Sign-In button at the top right

Please Note:

If you selected a different certificate than was registered, your login will fail, but you can add the certificate to your HmC account using the steps in Section 4 below.

If your HmC account has not been approved, please review the HmC Account Approval Process.

4. Add a New Certificate or CAC to your account


Adding a new Certificate

Use the following steps to add a CAC or ECA certificate to your existing account.

  1. Navigate to HmC or CONS3RT
  2. Click the Sign-In button
  3. When prompted, select the new CAC or ECA certificate that you would like to associate.
  4. You should see an authentication error, but under that error there is an Account Assistance link.
  5. Click the Account Assistance link
  6. Select I Have a New Certificate
  7. Enter the email to add your CAC or ECA certificate to your existing account (Be sure to use the email address associated with your existing HmC account)
  8. Check your email for the link to associate your cert with your account (If no email appears, be sure to check your spam filter. If no email appears after more than 15 minutes, contact support@cons3rt.com)
  9. Following the link, when prompted, select the new CAC or ECA certificate that you would like to associate
  10. You will be sent to a page with Client Certificate Details, please confirm that everything is correct, and then click Add Certificate

Once completed, return to HMC or CONS3RT and sign in with your new certificate.

Still having trouble?

First, try closing and re-opening your browser to clear any prior certificate selections.

If that does not work, your existing account might be inactive if you have had more than 30 days of inactivity.

  1. Follow these instructions to reactivate your account
  2. Once your account is reactivated, follow these steps above to add your new certificate

If you are still having issues please try verifying that you have the proper root certificates installed the steps are in this article:https://kb.cons3rt.com/articles/wrong-certificate

Please Note:

Account reactivation requests may require re-approval from a Government sponsor.

5. Manage Your Account Certificates


Once signed in to your HmC account, all users can manage their own certificates

  1. Click on the “person” icon located on the top right corner of the page
  2. Choose, "Profile & Account," from the list
  3. On the left panel of the profile page select, "Security"
  4. On the security page scroll down to the PKI certificates section.

image

You can now review which certificates are registered to your account (e.g. your CAC email or ID certificate). If there are any you wish to remove from the account click the, "X," located at the right side of the certificate.

6. Troubleshooting Certificate issues


For sites that support or require PKI authentication, users sometimes encounter errors with related to presenting certificates. The DoD Cyber Exchange site has good information on getting started with PKI/PKE.

Can't Log In With your CAC?/Client Certificate Not Found?

CONS3RT sites supporting government users (e.g HmC) requires the use of PKI certificate credentials for authentication. There is no username/password access to HmC. Credentials can include:

What Causes the "Client Certificate Not Found" Error?

The "Client Certificate Not Found" error will occur when the site is looking for the registered PKI required for access, and failing to find the Certificate. The most likely issue is a misconfiguration of the Operating System or Browser. Please see the sections below for possible solutions:

  • Configuring Browsers
  • Locked CAC
  • Cross Certificate Issue *Try this one if the browser appears to be configured correctly

Before we get started troubleshooting, There are a couple of basic preliminary steps to follow:

  1. Try clearing the cache on your browser (this can usually be done via the settings or history tab, and is sometimes called clearing browser history). Be sure to remember to close your browser and open it again for the best results
  2. Try a different browser! It's quite common to install your Certs via Chrome or Safari, and login to a computer with a different default browser and forget that the Certs were installed somewhere else!
  3. Try incognito mode. If you're using Chrome, Incognito mode is a useful troubleshooting mode because it eliminates any possible issues with cookies or sessions being cached.
  4. Make sure your CAC is inserted! It can and does happen. If you are attempting to connect with a CAC, please make sure that it is inserted and readable by your operating system.
  5. Make sure that you are typing your CAC password correctly. If you mistype the PIN or password on a soft certificate, the certificate does not get sent over and you will not be able to login.

Configuring Browsers

Additional instructions for configuring your browser to use PKI.

Locked CAC

DoD issued Common Access Cards (CACs) are designed to lock after three incorrect PIN entries. In some operating system/browser combinations it is not clear that the CAC is locked when being presented in the browser. To check if a CAC is locked, try unlocking the CAC via the local certificate middleware (e.g. ActiveClient on Windows or Keychain.app on Mac OS).

Cross Certificate Issue

Occasionally, certificate configurations on Windows systems can become unusable, typically (but not always) when a user is issued new credentials from a different Certificate Authority (CA). This is a known issue that looks like the browser is presenting a certificate to the website, but really is not. This issue can be fixed by running the Cross Certificate Removal Tool.

Please Note:

If you selected a different certificate than was registered, your login will fail, but you can add the certificate to your HmC account using the instructions in section #4 above.

Please Note:

Some Windows users are able to resolve certificates and/or TLS connection isues by adding the site to the Trusted Sites list in the browser.

Didn't recieve an email after adding a new certificate?

There are several possibilities that could result in no email being recieved after requesting a new certificate.

  • Wrong Email
    • The email address attached to your HmC account is outdated or mispelled (It happens more often than you might think)
  • Spam Email
    • Check your spam folder. Sometimes emails can end up being caught by the spam filter.
  • Blocked Email
    • The emailer that automatically sends these emails may be blocked by your network or firewall settings at your workplace

Unless the email is simply caught in the spam filter, the simple resolution is to put in a support ticket by using the "Contact Us" Widget on the HmC or Cons3rt page, or send an email to support@cons3rt.com.

Encountering a "CAC not detected" or "TLS Issue" Message in the Browser?

See this Knowledge Base Article for our reccomended resolution.