For sites that support or require PKI authentication, users sometimes encounter errors with related to presenting certificates.
Make sure your CAC is inserted
It can and does happen! If you are attempting to connect with a CAC, please make sure that it is inserted and readable by your operating system.
If you mistype the PIN or password on a soft certificate, the certificate doe not get sent over and you will not be able to login.
The DISA IASE site has good information on getting started with PKI.
If the user is presented with an error message in the browser that states a certificate is not presented or if the certificate selection dialog does not display the desired certificate, the most likey issue is a misconfiguration of the Operating System or Browser. Please see the sections in the knowledge base on Configuring Browsers, Supported Certificate, Locked CAC and Root Certificates for the most common solutions.
Additional instructions for configuring your browser to use PKI.
Only supported certificate issuers are authorized by for use in DoD sites. These include DoD CAC, DoD External Certificate Authority (ECA) and DoD Interoperability Providers. In HmC, MITRE credentials are also supported. If the credential is not in the approved list, it will not appear as an option.
DoD issued Common Access Cards (CACs) are designed to lock after three incorrect PIN entries. In some operating system/browser combinations it is not clear that the CAC is locked when being presented in the browser. To check if a CAC is locked, try unlocking the CAC via the local certificate middleware (e.g. ActiveClient on Windows or Keychain.app on Mac OS).
If you experiencing issues with a mismatched certificate when attempting to login to CONS3RT, you may have to empty your browser cache. On Mac OSX, hold down command-shift-r and then restart your browser. If the issue persists, please email the support team at firstname.lastname@example.org.
Cross Certificate Issue
Occasionally, certificate configurations on Windows systems can become unusable, typically (but not always) when a user is issued new credentials from a different Certificate Authority (CA). This is a known issue that looks like the browser is presenting a certificate to the website, but really is not. This issue can be fixed by running the Cross Certificate Removal Tool.
- Download the Cross Certificate Remover Tool,
- To find it on the DISA IASE site, click Tools on the left side, then select All and scroll down to the FBCA Cross-Certificate Remover.
- Download this User Guide, and follow the steps in the "Installing and Running the Tool" section
Your Operating System requires the DoD Root Certificate Authority (CA) certificates to be installed in order to use PKI authentication to access DoD websites. If not installed, you certificate will not be properly presented to the website for use. Specifically, the DoD Root CA3 certificate must be installed to reach HmC.
- To see available DoD Root CA packages to download, visit the DISA IASE Tools page, select the Trust Store tab, and then scroll down to Trust Store
- Option 1: Download InstallRoot, and follow the instructions to install all DoD and ECA certificates into your Windows and optionally Firefox trust stores.
- Option 2: Download and install this package to install the DoD Root CAs and all subordinates.
Mac OSX Computers
- Download the Certificates_PKCS7_v5.0u1_DoD.zip file and extract the zip file.
- In the extracted directory, double-click on this file: DoD_Root_CA_2_0x05_DoD_Root_CA_2.cer. After typing your admin password, this will open KeyChain Access.
- Select the "System" keychain to install the DoD root certificate
- In KeyChain Access, select the System KeyChain
- Scroll down to DoD Root CA 2, and double-click on it.
- Under Trust, set the When using this certificate box to: Always Trust
- Repeat these steps for DoD_Root_CA_2_0x05_DoD_Root_CA_3.cer and DoD_Root_CA_2_0x05_DoD_Root_CA_4.cer
- Close your Browser, and re-open.
Note: DoD Root CA 3 is required for HmC access.