A project for consistently configuring DOD CACs on Linux. Currently, this
process will not work with Firefox if it is installed via snap
. Before using
this project, please review the Known Issues section.
Click to Toggle Expansion
Regardless of how similar two distributions may be, I will only list distributions and versions here that I know have been tested with this method.
Distribution | Versions | Browsers |
---|---|---|
Ubuntu | 20.04 LTS | Firefox, Chrome |
22.04 LTS | Chrome | |
PopOS! | 20.04 LTS | Firefox, Chrome |
22.04 LTS | Firefox, Chrome |
Please run either the Automated Installation or the Manual Installation, but not both.
Click to Toggle Expansion
WARNING: Please make sure all browsers are closed before running the script.
If you choose this option, you do not need to do the manual installation.
This script requires root privileges since it installs the cackey
package and
its dependencies. Feel free to review the script
here
if this makes you uncomfortable. For transparency, the cackey
package is
downloaded from
here and
the DoD certificates are downloaded from
here, both of which are
recommended by militarycac.
Important Notes:
- The automated installation requires
wget
andunzip
to run and will install both during the setup, if they are not already installed. If you don't want either tool, remove it after the setup is complete usingsudo apt remove <command>
. - The scripted installation has only been tested on the configurations listed in the Supported Distributions
- This script uses the 64-bit version of the cackey package.
wget
sudo bash -c "$(wget https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh -O -)"
curl
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh)"
fetch
sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh)"
Click to Toggle Expansion
WARNING: Only perform these steps if you have not done the automated installation.
- Run the following command to install the CAC middleware:
sudo apt install libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools
- To verify that your CAC is detected, run (stop with ctrl+c):
pcsc_scan
-
Download and install cackey from here.
-
Run the following command to verify the location of the cackey module and make note of the location:
find / -name libcackey.so 2>/dev/null
- NOTE:
libcackey.so
should be in one of the following locations:
/usr/lib/libcackey.so
OR
/usr/lib64/libcackey.so
- If
apt
updates cackey from 7.5 to 7.10, it will movelibcackey.so
to a different location. To prevent cackey from updating, run the following:
sudo apt-mark hold cackey
- NOTE: The cackey package will still show as upgradeable.
-
Download DOD certs from DISA here.
-
Unzip the
AllCerts.zip
folder using the following command:
unzip AllCerts.zip -d AllCerts
cd
into the newly createdAllCerts
directory- Run the following command:
for cert in *.cer; do certutil -d sql:"$HOME/.pki/nssdb" -A -t TC -n "$cert" -i "$cert"; done
- Run the following command:
printf "library=/usr/lib64/libcackey.so\nname=CAC Module" >> $HOME/.pki/nssdb/pkcs11.txt
cd
into theAllCerts
directory- Run the following command:
for cert in *.cer; do certutil -d sql:"$(dirname "$(find "$HOME/.mozilla" -name "cert9.db")")" -A -t TC -n "$cert" -i "$cert"; done
- Run the following command:
printf "library=/usr/lib64/libcackey.so\nname=CAC Module" >> "$(dirname "$(find "$HOME/.mozilla" -name "cert9.db")")/pkcs11.txt"
- NOTE: Since the firefox database directory starts with a random string of
characters, it needs to be found dynamically. Its naming and location follows
this convention:
$HOME/.mozilla/firefox/<alpahnumeric string>.default-release
.
-
Firefox and Chrome both need to be started at least once to initialize their respective certificate databases/profiles.
-
CAC needs to be inserted before starting Firefox.
-
Ubuntu 21.10 and greater (to include the latest LTS 22.04) have Firefox installed via snap by default. There is an outstanding bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1734371) that prevents the snap version of Firefox from being able to read the certificates. One solution could be to uninstall Firefox from snap and reinstall it via
apt
. -
If you upgraded from 20.04 to 22.04 on either PopOS or Ubuntu, this likely also upgraded the cackey package from 7.5 to the latest version, which currently breaks this process. You can either rerun the script or run through step three through five of the manual installation.
-
If you run into any issues with firefox after running the script, clear your data and history in
Privacy & Security
and then restart firefox. If your troubles are with MS Teams, see the section for troubleshooting teams. -
Firefox will likely start up a bit slower after running this installation.
If you run into issues with MS Teams, try the following steps:
- In the Firefox Settings window, select the
Privacy & Security
tab. - Under
Cookies and Site Data
, selectManage Exceptions
. - In the
Address of website
text box, enter the following URLs, and then selectAllow
.
https://microsoft.com
https://microsoftonline.com
https://teams.skype.com
https://teams.microsoft.com
https://sfbassets.com
https://skypeforbusiness.com
- Select
Save Changes
.
- NOTE:
strict
security settings in Firefox may cause a loading loop
See the official documentation for this issue here.
- https://militarycac.com/linux.htm (this was my starting point)
- https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/docs/linux/cert_management.md
- https://firefox-source-docs.mozilla.org/security/nss/legacy/tools/nss_tools_certutil/index.html
- https://firefox-source-docs.mozilla.org/security/nss/legacy/tools/certutil/index.html
- https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox
- https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla
- https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/teams-sign-in/sign-in-loop#mozilla-firefox