About Centrify and PIV Certificate Problem

Happy Valentine’s Day!

We received a report about a login problem on a military web site, using a Dual Persona card and Centrify product.  In the interests of simplicity, I’m going to break this blog into several separate sections beginning with the customers’ environment.

The Customer’s Environment

  • User has a Dual Persona card (also known as CACNG or Dual-Identity)
  • User wants to log in to a web site that is protected by PIV Authorization certificate, e.g., web.mail.mil
  • User has installed either Centrify Express for Smart Card, or Centrify for Mac.

Steps to Reproduce

  1. Install Centrify Express for Smart Card or Centrify for Mac.
  2. Install necessary certificate chain, e.g., DOD Root and Corresponding CA certificates.
  3. Insert the Dual Persona smart card into the smart card reader.
  4. Go to a military web site that requires PIV certificate, e.g., web.mail.mil

Expected Result

User logs in successfully to web.mail.mil using PIV certificate.

Actual Result

User is denied login.

The Root Cause

Our Centrify product ships with four tokend (smart card drivers) – CAC, CACNG, PIV, and BELPIC.  When the Dual Persona card is inserted, CACNG tokend is assigned as the card’s driver.  The CACNG tokend has a problem using the PIV certificate for digital signature and as such, a web login is impossible.

Proposed Workaround

Luckily for everyone, Centrify ships another tokend with our Mac product, the PIV.tokend. This driver is capable of the digital signature operation with Dual Persona PIV certificate.

To use this workaround, you must force the Mac to choose PIV.tokend.  This is done by removing CACNG tokend from OS X’s tokend folder.

  1. Open Terminal
  2. cd /System/Library/Security/tokend/
  3. sudo mkdir tmp
  4. sudo mv CAC* tmp/
  5. Remove and insert your card again
  6. Open Keychain Access.  Make sure the card appears as “PIV-*” in the top left hand corner of the Keychain Access App
  7. Try going to web.mail.mil web site. (If you are using Safari, and you have the credential association to web.mail.mil, you may have to remove it so that you can select the right certificate.)

This workaround may cause a problem if you try to use a different certificate on the Dual Persona card, for a different purpose.  If you observe this problem, you can undo the changes to tokend:

  1. cd /System/Library/Security/tokend/
  2. sudo mv tmp/CAC* .

Centrify’s Long Term Fix

We have confirmed the problem in Centrify and the tokend driver, and are working on the fix.  Our plan is to have this done in the next release of Centrify for Mac, and Centrify Express for Smart Card.

If you have any questions or concerns, please comment on this blog, or please contact our Support at support@centrify.com.

Thank you very much for using Centrify products!