I have Apache set up to require a DOD CAC in order to access the site. On most DOD CAC there are actually 3 or 4 different certificates (ID, EMAIL, AUTH, etc). I've noticed that for some websites, you need to pick the correct certificate or it won't grant access. I've also been told that by 2020, all sites will require the AUTH certificate. What I'm trying to figure out is how to only allow a specific certificate type - as currently, picking any certificate on the card with the proper PIN will grant access.
Asked
Active
Viewed 388 times
1 Answers
0
Switch between the various certs on the CAC dialog, then viewing the cert properties, there is "Enhanced Key Usage" which contains "Smart Card Logon" on the auth cert. This is not on the ID cert.
This post seems to address this with an Apache SSLRequire directive:
I haven't gotten this to work yet, but I think with the help of this: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html
I am on the way.
Richard Sandoz
- 327
- 4
- 9
-
Thanks. "Smart Card Login" is part of the Signature cert though, so that's not quite gonna work. It would eliminate using the ID or Encryption certs only. – Dave D. Feb 06 '19 at 18:54