Gentoo Wiki




this page is a work in progress, im currently implementing this myself, dont trust a single line on it

DOD CAC Server?

since the us military has begun implementing CAC cards everywhere, millions of CAC cards in use, and the added need for security thats maintainable across a large continuously changing network many vendors were asked to adopt the CAC standard (at the threat of being disconnected from the network.. yikes!) but there isnt much information on how to use my favorite gentoo installation as the base for a CAC authenticated server.

wikipedia has a good article for you to read here

Gathering Keys and Certificates

first for our work lets create a directory to work in:

mkdir ~/cac
chmod 600 ~/cac
cd ~/cac

visit and download the class3, class2 and ECA certificates:


unfortunately these files are in a lame microsoft format, now we need to convert them to something we can use.

Installing Keys and Certificates

openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_1024.p7b -out rel3_dodroot_1024.pem -print_certs
openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_2048.p7b -out rel3_dodroot_2048.pem -print_certs
openssl pkcs7 -inform DER -outform PEM -in dodeca.p7b  -out dodeca.pem -print_certs

Now we can install the certificates into the system in various places, and in various formats:

mkdir /usr/share/ca-certificates/
touch /usr/share/ca-certificates/.keep

cp rel3_dodroot_1024.pem /etc/ssl/certs/
cp rel3_dodroot_2048.pem /etc/ssl/certs/
cp dodeca.pem /etc/ssl/certs/

Create a Keypair

First we need to create an key for our servers, at this point im not sure what the recommended key size is, but im going with 1024

openssl genrsa -out this_cac_server.pem 1024
cp this_cac_server.pem /usr/share/ca-certificates/

Now we turn this key into a certificate request

openssl req -new -key this_cac_server.pem -out this_cac_server.csr

once we have a CSR we can just cat the file and use this as our certificate request.

Certificate Request

now we need to generate a certificate request so that we can get a valid certificate. we generate this using the key we generated earler.

openssl req -new -key this_cac_server.key -out this_cac_server.csr

now that we have a CSR, you can paste the contents into the form at to obtain a signed certificate.

once you have submitted a request you will have to wait for the certificate to be approved, while you are waiting you can check on the status by visiting

once you recieve an email or notice through the checkRequest page that your certificate is ready open, visit the url provided where you will be given the choice between PEM ("base64 encoded certificate" or pkcs7.

copy all of the text between (and including) the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" you should save this certificate into "this_cac_server.crt" and copy the file into your certificate directory.

cp this_cac_server.crt /usr/share/ca-certificates/

System Authentication

section about using CAC for local user authentication (im... kinda sure i can do this)


Install Apache

before emerging apache be sure that "apache2" and "ssl" are added to your USE flags in /etc/make.conf file:


then emerge:

emerge openssl apache

Configure Apache

to start enabling SSL features be sure the following is added to your httpd.conf file

SSLVerifyClient require
SSLVerifyDepth 1
SSLCertificateFile /usr/share/ca-certificates/this_cac_server.crt
SSLCertificateKeyFile /usr/share/ca-certificates/this_cac_server.pem
SSLCACertificateFile /etc/ssl/certs/rel3_dodroot_1024.pem

if you would like to test the server, without being locked out you can preset SSLVerifyClient to "optional":

SSLVerifyClient optional

if you see a warning about invalid signatures check the following:

  • CAC card is valid
  • Your servers certificate was signed by the proper CA for the certificate your using
  • that you properly installed and configured the SSL key and certificate

    Automatic Redirect

    if your setting one of these machines up you'll probably want to configure a port 80 redirect just to make sure everything is getting off to a good SSL start.

    you can add this to the default vhost file, if your doing wird CAC vhost stuff.. (like a military only webhost or something) your on your own to figure it out.


    <VirtualHost *:80>
            RewriteEngine On
            RewriteCond %{HTTPS} !=on
            RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]

    Enabling mod_ssl

    As stated in the Apache2 install guide, to enable mod_ssl on your Apache2 server, simply add the "-D SSL -D SSL_DEFAULT_VHOST" options to the APACHE2_OPTS statement in /etc/conf.d/apache2.

    now restart apache:

    /etc/init.d/apache restart


    install your smart card middleware software (is this internet downloadable?)

    visit web server

    padlock icon should be active, there should be no odd ssl warnings bla bla bla


    Build SSH

    download gentoo ssh... i can probably build an ebuild for this

    x509 then pkcs11 patchs

    Configuring CAC Logins


    Helpful Links

    Last modified: Fri, 05 Sep 2008 22:25:00 +0000 Hits: 5,207