expired PKI certificate on iase.disa.mil

[Fen Labalme]

I would like to install PKI certificates into my browser so that I can use a CAC to successfully authenticate on my Arch Linux system. This page (https://wiki.archlinux.org/index.php/Common_Access_Card#Import_the_DoD_Certificates) told me where to download the certificates, so from http://iase.disa.mil/pki-pke/Pages/tools.aspx I downloaded:

For DoD PKI Only - Version 5.0 - (ZIP Download) Size: 214 KB
http://iasecontent.disa.mil/pki-pke/Certificates_PKCS7_v5.0u1_DoD.zip

The header for this file states: "Instructions for verifying the integrity of all three files using OpenSSL are included in the README" and step 3 of the README says:

3) Verify the S/MIME signature on Certificates_PKCS7_v5.0u1_DoD.sha256 using the following command:
openssl smime -verify -in Certificates_PKCS7_v5.0u1_DoD.sha256 -inform DER -CAfile DoD_PKE_CA_chain.pem | dos2unix | sha256sum -c

My results are as follows:

» openssl smime -verify -in Certificates_PKCS7_v5.0u1_DoD.sha256 -inform DER -CAfile DoD_PKE_CA_chain.pem | dos2unix | sha256sum -c
Verification failure
140477694002840:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:336:Verify error:certificate has expired
sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

I just sent an email to the DoD PKI Help Desk at disa.tinker.esd.mb...@mail.mil for an updated certificate but I'm wondering if any people here have ideas where else I may ask.

Thanks!

=Fen

 

[Shawn Wells]

The IASE Helpdesk might be another venue:    disa.meade.re.m...@mail.mil

[Fen Labalme]

Ya - they bounced my email as I'm not a .mil. I've asked my .mil ISSM to forward the message for me.

Fen Labalme, CISO at CivicActions.com

Security | Quality | DevOps

mobile: 412-996-4113

github/skype/twitter: openprivacy

On Tue, Jan 17, 2017 at 11:11 PM, Shawn Wells <shawn....@gmail.com> wrote:

On 1/17/17 10:47 PM, Fen Labalme wrote:

I would like to install PKI certificates into my browser so that I can use a CAC to successfully authenticate on my Arch Linux system. This page (https://wiki.archlinux.org/index.php/Common_Access_Card#Import_the_DoD_Certificates) told me where to download the certificates, so from http://iase.disa.mil/pki-pke/Pages/tools.aspx I downloaded:

For DoD PKI Only - Version 5.0 - (ZIP Download) Size: 214 KB
http://iasecontent.disa.mil/pki-pke/Certificates_PKCS7_v5.0u1_DoD.zip

The header for this file states: "Instructions for verifying the integrity of all three files using OpenSSL are included in the README" and step 3 of the README says:

3) Verify the S/MIME signature on Certificates_PKCS7_v5.0u1_DoD.sha256 using the following command:
openssl smime -verify -in Certificates_PKCS7_v5.0u1_DoD.sha256 -inform DER -CAfile DoD_PKE_CA_chain.pem | dos2unix | sha256sum -c

My results are as follows:

» openssl smime -verify -in Certificates_PKCS7_v5.0u1_DoD.sha256 -inform DER -CAfile DoD_PKE_CA_chain.pem | dos2unix | sha256sum -c
Verification failure
140477694002840:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:336:Verify error:certificate has expired
sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

I just sent an email to the DoD PKI Help Desk at disa.tinker.esd.mbx.okc-servic...@mail.mil for an updated certificate but I'm wondering if any people here have ideas where else I may ask.

The IASE Helpdesk might be another venue:    disa.meade.re.mbx.iase-web...@mail.mil

--
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
 
www.mil-oss.org

---
You received this message because you are subscribed to a topic in the Google Groups "Military Open Source Software" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mil-oss/Hs10ZiBgQXw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mil-oss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.