In order to use PKI, smart card authentication or DoD CAC (Common Access Cards) with Google Chrome in Linux you must first install the DoD root certificates. These certificates tell the system how to verify the trust certificate path of the CAC. They also allow your browser to trust the DoD certificates for websites using the root certs.
This has been tested on Fedora, CentOS and Red Hat.
First, we need to download the DoD root certificates from DISA. Go to:
https://public.cyber.mil/pki-pke/admins/#toggle-id-1
NOTE: As of the time of writing the old website (http://iase.disa.mil/pki-pke/Pages/tools.aspx) is no longer being updated.
Look for DoD PKI Only link and click it to download the zip file.
When the zip file download is complete, open a terminal and go to that directory and unzip the file.
EXAMPLE:
unzip Certificates_PKCS7_v5.0u1_DoD.zip
Now cd (change directory) into the newly created directory.
EXAMPLE:
cd Certificates_PKCS7_v5.0u1_DoD/
Now run the following command to import all of the p7b files into the trust store.
for n in *.p7b; do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done
Now all of the DoD root certificates in the DoD root chain are available to your system via the nss trust store. To check the status of the certs installed you can run the following command.
certutil -d sql:$HOME/.pki/nssdb/ -L
Conclusion
Once installed the DoD root certificates will allow you establish an encrypted connect with DoD sites. It is also necessary to have the DoD certificates installed if you are using the Common Access Card to access any DoD resources. Below you will find additional resources on how to use DoD CAC (Common Access Card) with Google Chrome and Firefox on Linux.
Thanks for the help but returned an error when importing:
"certutil: could not decode certificate: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message."
Although the check appeared OK:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Certificates_PKCS7_v5.0u1_DoD_DoDRootCA4_withCAs_FirefoxChromeOS.der.p7b CT,,
Certificates_PKCS7_v5.0u1_DoD_DoDRootCA2_withCAs_FirefoxChromeOS.der.p7b CT,,
Certificates_PKCS7_v5.0u1_DoD_DoDRootCA3_withCAs_FirefoxChromeOS.der.p7b CT,,
Certificates_PKCS7_v5.0u1_DoD_OSX_CAsOnly.der.p7b CT,,
I received the same error message.
I suspect that they added some extra certs which are DER encoded. If the check turns out ok you should be fine.
Had the same error as others (using Ubuntu 18.04). Only one fails (the .pem.p7b file), the rest succeed.
Brian, Can you confirm that the DoD certs still work?
I was able to get it all working.
In addition to the original problem I mentioned, I was unable to authenticate to a certain website (https://www.trmc.osd.mil) using chromium. As an aside, I don't have Firefox installed.
There ended up being two issues:
1) certutil wasn't installing all of the certs; using *gcr-viewer* I was able to get them all installed, though it's not automated because I had to actually click "import" on the dialogue. I would rather have used certutil but I don't know these tools well enough and I have spent too much time on this already.
for file in $(ls -1 | grep -v txt); do gcr-viewer ${file}; done
2) With that I was still unable to authenticate to that site. I eventually realized it's because the certs weren't trusted. I'm not sure what the correct trust settings should be, I'll do some research on that shortly. When I run the following:
certutil -d sql:$HOME/.pki/nssdb -L
... I was seeing lines like the following:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
DOD SW CA-61 ,,
(snip)
The commas off to the right indicate the cert isn't trusted at all. As a quick & dirty fix I did the following:
certutil -d sql:$HOME/.pki/nssdb -L \
| perl -ne 'm{^(\S.+?)\s+\S*,} && system( "certutil -d sql:.pki/nssdb -M -t CT,C,C -n \"$1\"" )'
Thank you, I so much cannot get my heart away from serving my Military, Government of the United States of America and just about anything of interest to my nation; becomes of really interest to me. Even if before I thought; oh that's not necessary: but it becomes so necessary.
One of the p7b files fails with an error, and one of them silently fails, because the certutil -d sql:$HOME/.pki/nssdb/ -L doesn't show it... So its no dice for me.
Hello, running this a few years later on ubuntu 22.04 but the outputs of these commands yield the following:
$ for n in *.p7b; do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done
certutil: could not decode certificate: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
$ certutil -d sql:$HOME/.pki/nssdb/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Certificates_PKCS7_v5.9_DoD.der.p7b CT,,
Certificates_PKCS7_v5.9_DoD_DoD_Root_CA_3.der.p7b CT,,
Certificates_PKCS7_v5.9_DoD_DoD_Root_CA_4.der.p7b CT,,
I appreciate you posting these instructions so long ago... we've been working to try and automate/script installation of some work from home tools (specifically "Desktop Anywhere" a Air Force Reserve VMWare View solution). If you'd like to take a look we'd love any thoughts or inputs. Thank you again.
https://gitlab.com/90cos/public/desktop-anywhere
The Desktop Anywhere scripts addcerts-linux.sh and addcerts-chrome.sh worked very well on an new Arch installation. Thanks for linking to your project!