Begin the client installation by opening the downloaded file from above and select Continue > Install. Enter an elevated privilege account username and password (if you don't have one, the IT department will install manually).
Update: You can download Internet Explorer and Windows virtual machines for free that run within Mac OS X. That method works for IE7, IE 8, and IE9, although they run within a VM rather than as an app like the below method.
Downloading Internet Explorer for Mac directly can be done with IE5, but as we mention below Microsoft stopped supporting it officially after this version. Later versions of Internet Explorer can be downloaded and run through the WineBottler app within Mac OS X, the instructions below will walk you through this process with versions 6, 7, and 8.
The certificates are encoded in something called PEM format. You can download an ASD-developed (python 2.7) script cert_read.py [control-click and "Save Link As"] which makes it far easier to understand the output from the above system_profilercommand. Download the command and either make it executable (chmod 755 cert_read.py) or run it with/usr/bin/python cert_read.py.
Note: For US Department of Defense users, most websites require users to install several trust roots and intermediaries. These are available as official downloads from IASE Tools > Trust Store > PKI CA Certificate Bundles: PKCS#7 > For DoD PKI Only bundle. Once you download that bundle on ChromeOS, go to the Files app, double click to mount the zip and then drag and drop the contents of the mounted zip into the downloads folder. Then follow the import instructions in Step 3 for the following two files, checking all boxes when configuring trust
Generally, a download manager enables downloading of large files or multiples files in one session. Many web browsers, such as Internet Explorer 9, include a download manager. Stand-alone download managers also are available, including the Microsoft Download Manager.
The Microsoft Download Manager solves these potential problems. It gives you the ability to download multiple files at one time and download large files quickly and reliably. It also allows you to suspend active downloads and resume downloads that have failed.
Click ONCE on that listing (you cannot unlock your CAC card...nor do you need to) - if you can see a bunch of certificates on the right side of the window, some with your name and some without, then you were successful. If not, go back and download a different enabler. Make sure that enabler works with your CAC and macOS version.
Once there, click on the "Select Product..." drop-down and select "CITRIX Workspace App" from the list. On the next page, select "Workspace App for Mac" or "Workspace App for PC" from the list. (One user had to download the Workspace App Universal version on PC)
The most current DoD certificates bundles can be downloaded from the DoD Cyber Exchange website. This zip file contains the DoD PKI CA certificates in PKCS#7 certificate bundles containing either Privately Enhanced Mail (PEM)-encoded or Distinguished Encoding Rules (DER)-encoded certificates. Separate PKCS#7 certificate bundles are also included for each root CA, for relying parties who may wish to accept only certificates issued with the key and signature hash combinations (for example, RSA-2048/SHA-256) issued by a given root. Instructions for verifying the integrity of all p7b files using the signed SHA-256 hashes file are included in the README.
4. IMPORTANT: After installing ActivClient, download the hotfix that will update version 220.127.116.11 to the latest version (currently 18.104.22.168). Firefox will not work with ActivClient 22.214.171.124. There is a link to download this hotfix under "step 4" in the CAC Resource Center. It is at the very top of the page.
2017-03-20: Bryan Berns, with help from @jdantzler and @k3it, has updated PuTTY-CAC to sync with the upstream PuTTY 0.68. Since I have been slow in merging the upstream, I recommend that users of PuTTY-CAC pull from his repository: -cac/releases 2015-12-29: PuTTY-CAC has been updated to sync with PuTTY0.66. The updated version is availableat -cac/tree/0.66-sync 2015-09-23: The version Josh published had some bugs that made the CAPI support mostly broken. I believe these are fixed by the 2015-09-23 patchset. 2015-08-14: Josh Dantzler has updated PuTTY-CAC to be synchronized with PuTTY-0.65. [UPDATE: Because these versions had errors that made the CAPI support not work, they were basically useless to an end user and the download links have been removed.] WARNING: The PKCS11 API originally from PuTTY-SC has been removed from all applications in this PuTTY-CAC Suite due to complications Josh was having with the code. However, CAPI support is still functional. If you need to use PKCS11, then DO NOT DOWNLOAD ANY OF THESE VERSIONS. Instead, download an older release of 0.62 which has support for PKCS11. If you need PKCS11 support, please file an issue at the github repository. 2012-09-18: the source code has been moved to github at -cac. This version is synchronized with PuTTY-0.62, and also includes support for Microsoft's Cryprographic API (CAPI). CAPI support should be easier to configure for most users and also allows use of soft-certs. Use of CAPI instead of PKCS#11 is now recommended. binaries My own binaries are now out-of-date. Please use -cac/releases instead. source Source is at -cac notes PuTTY-CAC is derived from PuTTY and PuTTY SC. (See below for the pedigree.) It should support other smartcards as well, but has not been tested to do so. PuTTY-CAC was developed by Dan Risacher. U.S. Department of Defense users can also obtain this software from _cac Note that the version on forge.mil is temporarily out-of-date, as of 2015-12-29. CAPI configuration PCKS#11 Configuration Use the "Pkcs11" panel to configure PuTTY SCfor smartcard usage. Note: these settings are used by the SSHagent as well. 'Use Windows event log' Writes log messages to the Windows event log too. This might be helpful for debugging. 'Attempt PKCS#11 smartcard auth (SSH-2)' Thisoption is used to enable smartcard authentication ingeneral. 'PKCS#11 library for authentication' Specify thenecessary library (.dll) to access your smartcard. See below forsome DoD middleware files.'Token label' Specify the name of yoursmartcard. It's the same name you usually see when getting prompted toenter the password when accessing the smartcard for cryptographicoperations, e.g. when signing email. 'Certificate label' Thelabel given to the certificate corresponding to the private and publickey you want use for authentication. SSH keystringYou must store your public key in the $HOME/.ssh/authorized_keys file on the server. Unfortunately, some PKCS#11 middleware does not work well with this dialog, and the configuration dialog does not work properly. In addition to the "SSH Keystring" box in the user interface, the public key can be exported via the event log of PuTTY (it's written as a base64 encoded string to the event log when connecting to the server). Just copy/paste this string. It should look like'ssh-rsa AAAAB3NzaC1yc2EAAAA.....ZHkknlDE7jhQ== token-key'. PKCS#11 Middleware In my testing, the PKCS#11 library files, Token labels, and Certificatelabels corresponding to the PKCS#11 middlewares were:MiddlewarePathToken LabelCertificate LabelCommentLitronics NetSign C:\WINNT\system32\core32.dllCommon Access Card V2"CAC-IDEN"NetSign seems to do a good job finding the Token label and Certificate label, once you've set the PKCS#11 library.ActivClient CACC:\WINDOWS\system32\acpkcs211.dllActivIdentity ActivClient 0ID CertificateActivClient generates Token labels on-the-fly. I put a workaround in the experimental version to fix this, but it doesn't work if there are multiple card readers.Alladin eToken ProeTPKCS11.dll Depends DependsThanks to Jernej SimoncicSafeSignC:\windows\system32\aetpkss1.dllcrescendo C700DependsThanks to Eric Johnson at Imperial CollegeCoolkeyC:\windows\system32\libcoolkeypk11.dllDependsBrokenCoolkey build from Nabber.org will work, but the dialog box makes it look like it doesn't (As of 2012-03-20.) Please email me with others if you learn them. Pedigree PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham. PuTTY is great, but I thought it would be cooler if it could use PKI tokens for authentication. PuTTY SC is a free implementation of SSH for Win32 platform. It was developed by Pascal Buchbinder. This modified version of PuTTY supports RSA keys held on a smartcard or usb token for authentication. The interface is based on PKCS #11 and you need the appropriate library (.dll) of the manufacturer of your smartcard in order to use PuTTY SC. PuTTY SC is pretty cool too, but the implementation makes a critical assumption about the smartcard that isn't always true: namely, that the smartcard contains the public key as an independent object. The DoD CAC program issues tokens that include private keys and public certificates, but does not include public keys as distinct objects. Public certificates include public keys, but the implementation in PuTTY SC will not extract those public keys from the certificates. PuTTY-CAC fixes this. PuTTY-CAC is based on PuTTY SC, but adds the capability to extract public keys from certificates on the card if the public key is not available as a distinct object. Other implementation notes: PuTTY SC, upon which PuTTY-CAC is based, includes some windows-specific code (for loading the PKCS#11 library) which causes it to lose the cross-platform nature of the original PuTTY. As a Mac and Linux user, I'd love to fix this, but I haven't done so. X.509, the ITU-T standard for public key certificates, leaves a disturbing amount of flexibility. It's not clear that the assumptions that I made in extracting public keys from certificates will always hold. I tested with several DoD CAC cards, but nothing else. I'd like to get feedback on whether PuTTY CAC works with other PKI implementations. PKCS#11 Libraries: PuTTY CAC was tested with the Litronics NetSign CAC middleware, and with the ActivIdentity ActivClient CAC middleware. Feedback is requested by the author on whether it works or not with other middleware. Licensing: The basic PuTTY source code is licensed under the MIT license. PuTTY SC is licensed under the GNU General Public License (GPL). The PuTTY-CAC enhancements were written by a direct employee of the United States Federal Government, and as such, those enhancements are a declared work of the United States Government and are not subject to copyright protection. A binary, compiled version is a derivative work of all three sources, and should be considered GPL licensed. Projects page, Dan Risacher 2b1af7f3a8