Cac Card Reader Driver For Mac

 admin

Please select a browser below to access instructions for configuring your browser to use the certificates on your CAC.

IE and Chrome

First check whether your certificates are already available to your browser.

For Internet Explorer 8.0 and above:

The USB interface enhances this easy to install, easy to use smart card reader, and ensures high speed, utilization of smart card enabled applications. The 215 Reader is backed by fourteen years of design, support, and expertise in smart card readers and systems, the 215 Smart Card Reader is one of the most cost effective and user-friendly. The design means your CAC card is visible while inserted into the reader, which means you’ll never accidentally forget it. The SCR-10 from Rocketek is the second.

  1. Navigate to Tools > Internet Options > Content and click Certificates.
  2. On the Personal tab, review the list of certificates to determine if your CAC certificates are in the list. The certificates on your CAC will be issued by a DoD CA.
  3. If the certificates appear in the list, you are finished. If the certificates do not appear in the list, please see the note below.

For Google Chrome:

  1. Navigate to Tools > Options > Under the Hood and click Manage Certificates in the HTTPS/SSL section.
  2. On the Personal tab, review the list of certificates to determine if your CAC certificates are in the list. The certificates on your CAC will be issued by a DoD CA.
  3. If the certificates appear in the list, you are finished. If the certificates do not appear in the list, please see the note below.

NOTE: If your certificates are not in the list and you’re using ActivClient, please make sure it is installed correctly. If your certificates are not in the list and you are using other middleware, you can contact your CC/S/A for more information on the middleware requirements for your organization. You can find their contact information on our Contact Us tab.

Firefox

Below are complete instructions for using Firefox with your CAC. You may also download these instructions.

Install Certificates from InstallRoot

  1. Download and install the InstallRoot tool following the instructions in the InstallRoot User Guide or watch this video to learn how:
  2. Open the InstallRoot tool and select Firefox/Mozilla/Netscape from the Select Trust Store picklist at the bottom of the window.
  3. Ensure only the top Install DoD NIPRNET Certificates box is checked.
  4. Click the Install button and wait for the installation to complete. Please wait until you see a confirmation dialog indicating the tool is finished.

    5. Using Common Access Card (CAC) certificates in Firefox

    These instructions will enable ActivIdentity’s ActivClient software to work within Firefox. Before proceeding, try to ensure the latest version of ActivClient is installed by going to the ActivClient website to check the latest version. Before installing the latest version, please uninstall any previous versions of ActivClient.

    As of version 6.2, ActivClient by default configures Firefox to accept the CAC certificates without any additional configuration. You may use the following instructions to verify that it has been installed properly. If using an older version of ActivClient, these instructions will assist with proper configuration.

    1. Open Firefox
    2. Click on Tools > Options in the menu bar.
    3. In the Options window, go to Advanced > Encryption > Security Devices.
    4. In the new window, click on Load.
    5. Enter “ActivClient(CAC)” for the Module Name.

      Click Browse to the right of the Module Filename field. Browse to the location of the ActivClient PKCS11 library, acpkcs211.dll. This is typically located at C:Program Files (x86)ActivIdentityActivClientacpkcs211.dll in ActivClient 6.2, and C:Windowssystem32acpkcs201-ns.dll in ActivClient 6.1 and earlier.

      Click OK, and then OK again in the confirmation window.

    6. The confirmation message will show that the security device (CAC) was loaded. CAC certificates can now be used with the browser. Click OK to close the window.

      7. Ensure the Online Certificate Status Protocol (OCSP) is Performing Revocation Checking

      With any versions of ActivClient later than 6.2, these settings will be automatically configured. However, these instructions can be used to confirm proper configuration for older versions of ActivClient.

      1. Open Firefox
      2. Click on Tools > Options in the menu bar.
      3. In the Options window, go to Advanced > Encryption > Validation.
      4. Ensure the option Use the OCSP to confirm the current validity of certificates is checked. Also ensure When an OCSP server connection fails, treat the certificate as invalid is checked.

Safari

To get started you will need:

  • CAC (see note below)
  • Card reader

You can get started using your CAC on your Mac OS X system by following these basic steps:

  1. Get a card reader
    Typically Macs do not come with card readers and therefore an external card reader is necessary. At this time, the best advice for obtaining a card reader is through working with your home component. In addition, please review the DoD CAC Reader Specifications for more information regarding card reader requirements.
  2. Download and install the OS X Smartcard Services package
    The OS X Smartcard Services Package allows a Mac to read and communicate with a smart card. In order for your machine to recognize your CAC certificates and DoD websites as trusted, the installer will load the DoD CA certificates on OS X. Please refer to this page for specific installation instructions.
  3. Address the cross-certificate chaining Issue
    These instructions walk through adjusting the trust settings on the Interoperability Root CA (IRCA) > DoD Root CA 2 and the US DoD CCEB IRCA 1 > DoD Root CA 2 certificates to prevent cross-certificate chaining issues. This can make it appear that your certificates are issued by roots other than the DoD Root CA 2 and can prevent access to DoD websites.
  4. Configure Chrome and Safari, if necessary
    Safari and Google Chrome rely on Keychain Access properly recognizing your CAC certificates.
    1. In Finder, navigate to Go > Utilities and launch KeychainAccess.app
    2. Verify that your CAC certificates are recognized and displayed in Keychain Access

Note: CACs are currently made of different kinds of card stock. To determine what card stock you have, look at the back of your CAC above the magnetic strip. Most CACs are supported by the Smartcard Services package, however Oberthur ID One 128 v5.5 CACs are not. Third party middleware is available that will support these CACS; two such options are Thursby Software’s PKard and Centrify’s Express for Smart Card.

Client devices that use a smart card for user authentication must meet certain requirements.

Client Hardware and Software Requirements

Cac card reader for macbook

Each client machine that uses a smart card for user authentication must have the following hardware and software.

  • Horizon Client
  • A compatible smart card reader
  • Product-specific application drivers

Users must have a smart card, and each smart card must contain a user certificate. The following smart cards are supported.

  • U.S. Department of Defense Common Access Card (CAC)
  • U.S. Federal Government Personal Identity Verification (PIV) card (also called FIPS-201 smart cards)
  • Gemalto .NET card
  • Gemalto IDPrime MD card

For CAC and PIV cards, Horizon Client uses the CryptoTokenKit smart card driver by default and you do not need to install any middleware.

For Gemalto .NET cards, install the correct SafeNet Authentication Client version for your macOS version. Gemalto SafeNet Authentication Client supports both CryptoTokenKit and TokenD smart card drivers for Gemalto .NET smart cards.

You can also use the following third-party smart card drivers with CAC and PIV cards.

  • PKard for Mac v1.7 and v1.7.1
  • Charismathics (CCSI_5.0.3_PIV)
  • Centrify Express

To use a third-party smart card driver, you must disable the CryptoTokenKit smart card driver. For more information, see Disabling the CryptoTokenKit Smart Card Driver.

Agent Software Requirements

A Horizon administrator must install product-specific application drivers on the agent machine.

With PIV cards, the operating system installs the related driver when you insert a smart card reader and PIV card for a Windows 7 virtual desktop. The following agent drivers are supported for PIV cards for Windows 7 virtual desktops.

  • Charismathics (CSTC PIV 5.2.2)
  • Microsoft minidriver
  • ActivClient 6.x

The following agent drivers are supported for PIV cards for Windows 10 virtual desktops.

Cac Reader For Apple

  • Charismathics (CSTC PIV 5.2.2)
  • ActivClient 7.x

For Gemalto .NET cards, the Gemalto Minidriver for .NET Smart Card driver is supported.

Cac Card Reader Driver For Mac Windows 10

Enabling the Username Hint Field in Horizon Client

In some environments, smart card users can use a single smart card certificate to authenticate to multiple user accounts. Users enter their user name in the Username hint text box when they use a smart card to authenticate.

To make the Username hint text box appear on the Horizon Client login dialog box, you must enable the smart card user name hints feature for the Connection Server instance in Horizon Console. The smart card user name hints feature is supported only with Horizon 7 version 7.0.2 and later servers and agents. For information about enabling the smart card user name hints feature, see the VMware Horizon Console Administration document.

Cac Card Reader Driver For Mac

If your environment uses a Unified Access Gateway appliance rather than a security server for secure external access, you must configure the Unified Access Gateway appliance to support the smart card user name hints feature. The smart card user name hints feature is supported only with Unified Access Gateway 2.7.2 and later. For information about enabling the smart card user name hints feature in Unified Access Gateway, see the Deploying and Configuring Unified Access Gateway document.

Note:Horizon Client supports single-account smart card certificates, even when the smart card user name hints feature is enabled.

Additional Smart Card Authentication Requirements

In addition to meeting the smart card requirements for Horizon Client systems, other Horizon components must meet certain configuration requirements to support smart cards.

Cac Card Reader Driver For Mac Windows 7

Connection Server and security server hosts
A Horizon administrator must add all applicable Certificate Authority (CA) certificates for all trusted user certificates to a server truststore file on the Connection Server host or security server host. These certificates include root certificates and must include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.

When you generate a certificate for a blank PIV card, enter the path to the server truststore file on the Connection Server or security server host on the Crypto Provider tab in the PIV Data Generator tool.

Cac Reader For Mac Catalina

For information about configuring Connection Server to support smart card use, see the VMware Horizon Console Administration document.

Active Directory

Mac Compatible Cac Reader

For information about tasks that an administrator might need to perform in Active Directory to implement smart card authentication, see the VMware Horizon Console Administration document.