USU Helpdesk

Common Access Card (CAC)

The USU Security Department can assist you in obtaining your CAC.

Non-CAC Users (Personnel who are not eligible to receive a CAC)

Reference JTF-GNO CTO 07-015, Public Key Infrastructure (PKI) Implementation, Phase 2 (U/FOUO) Paragraph 6.C.1.b. Forced CAC logon does not apply to students or unpaid employees (such as interns) who are not eligible to receive or not in receipt (recruits or new hires) of a CAC. Students, unpaid employees, or others will receive a temporary account (username and 15-character password) which will automatically expire no more than 30 calendar days after the expected end-of-course completion date or projected end of unpaid employee status.

For USU, this policy only applies to GEO students (non-military and non-DoD) and temporary employees such as summer hires, volunteers, and guests. This policy does NOT apply to military or DoD employees who are students and are eligible to receive a CAC.

The following shall be employed by all non-privileged users in the absence of the Common Access Card (CAC):

Each authorized user must have a user-defined password that is set during initial login.
A UserID and corresponding password is intended to uniquely authenticate a particular user to the IS. Therefore, the UserID and password must be kept confidential; it must be committed to memory, and never written down where it could be discovered.
Do not use another UserID and password, even if it is made known.
Choose a complex, alphanumeric password that is 15 characters in length. Such passwords shall consist of symbols, numbers, and letters with a combination of upper- and lower-case letters.
Do not use an obvious password. Avoid anything resembling a name, hobbies, address, phone number, Social Security number, or other personal attributes; do not use a readable word.
Passwords must be used for at least one day, but no longer than 90 days.
The last 24 passwords are stored in memory and cannot be reused.

In addition to the above password policies for non-privileged users, the following must also be adhered to by privileged users:

Privileged users with multiple roles will have a separate UserID and password for each role assigned.
Privileged users will only perform the duties that are assigned under each role and using the appropriate UserID.
Choose a complex, alphanumeric password that is 15 characters in length. Such passwords shall consist of symbols, numbers, and letters with a combination of upper- and lower-case letters.

Common Access Card (CAC) Tips

What is the Difference between CAC Login and CAC/PKI
Where are we with CAC Login?
CAC Certificate Registration On Your PC
How to determine if your DoD PKI client certificate (CAC card) is revoked
Manually Registering Your New DOD CAC
Clearing Out Old Certificates
How to Register Your New DOD CAC
CAC/PKI FAQ
DoD Public Key Infrastructure And Public Key-Enabling FAQs
How to Modify Certificate Trusts
How to Update E-mail address and certificates on CAC
Password Policy (for personnel who are not eligible to receive a CAC)
How to Remove Old Certificates and Import New Certificates into Windows
CAC Registration

What is the Difference between CAC Login and CAC/PKI

Common Access Cards login and CAC/PKI work hand in hand. The CAC is the media used to store the PKI certificate and digital signatures. CAC/PKI is used to help ensure that individuals are who they say they are. The CAC/PKI is utilized in place of the user name and password to authenticate or allow users to logon to workstations/computers on the NIPRNET, digitally sign documents and e-mails, and send and receive encrypted e-mail messages.

Where are we with CAC Login?

Currently, card readers and middleware have been installed on all systems except for systems that are utilized to manage research equipment. In addition four departments as well as all military personnel systems have been configured for CAC login. Due to technical and manpower issues, the CAC implementation has been delayed. The Helpdesk is working all issues associated with the implementation process and hope to resume the implementation process soon.

CAC Certificate Registration On Your PC

Many sites that require you to authenticate with them using your CAC will require you to register the certificates on your CAC with your PC. DTS is one of them.

To register the certificates from your CAC to your PC, do the following.

1. Insert the CAC into your CAC reader
2. Open the Active Card Utilities (either by double clicking the Active Card Icon in tray in the bottom right of your computer screen, or by going to the Start menu>All Programs>Active Card Gold>Active Card Gold Utilities
3. When the Active Card Gold Utilities opens, it may or may not ask for your CAC pin. Enter the PIN if asked. A folder called "Digital Certificates" should show up briefly containing your certificates.
4. After the Digital Certificates folder is displayed, go to the "Tools" menu and select "Register Certificates"
5. A message box will appear describing what you are doing. Click ok to all the requests. Your certificates are now registered with your PC. You should only have to do this one time.

How to determine if your DoD PKI client certificate (CAC card) is revoked

1. Proceed to this URL: http://ges.dod.mil/registrationhelp.html
2. Select Option "b"
3. If you certificate is revoked you must contact WRNMMC (DEERS), PSD Bethesda office ( Building 8, 2nd floor) between the hours of 0700-0800 hours, after 0800 hours you must have an appointment (301-295-0103)

Reminder: If your card is locked contact USUHS Security or WRNMMC (DEERS), PSD to have your CAC pin re-set and card unlocked.

Manually Registering Your New DOD CAC

If for some reason the certificates are not in your browser then do the following:

1. Place your CAC in the reader
2. Double click the Activcard Gold icon on at the bottom right of your screen
3. Type in your Pin number
4. Click Tools
5. Click Register Certificates
6. Click Close

This should put the certificates in your browser.

Clearing Out Old Certificates

If you have different series number and/or more than three (3) certificates then do the following:

1. Click or double click Internet Explorer icon on desktop
2. Click the Tools icon
3. Click Internet Options
4. Click the Content tab
5. Click the Certificates icon
6. Remove the old certificate(s) with the oldest dates by holding down the shift key and clicking on each certificate (You should now only have three (3) certificates remaining)
7. Click Remove
8. Click Close
9. Click OK
10. Close browser and then reinsert the CAC

The browser should automatically receive the new certificates from the card.

How to Register Your New DOD CAC

Perform the following to verify that your certificates are valid:

1. Logon with your domain User Account
2. Click or double click Internet Explorer icon on your desktop
3. Click Tools on the menu bar
4. Click Internet Options
5. Click the Content tab
6. Click the Certificates icon
7. Under Personal check the Issue By column. All Certificates should have the same series number. For example DOD CA-11 is a series, DOD CA-15 is another.
a) Correct Certificate - DOD CLASS CA-15
DOD CLASS EMAIL CA-15
DOD CLASS EMAIL-15

b) Incorrect Certificate - DOD CLASS CA-11
DOD CLASS EMAIL CA-15
DOD CLASS EMAIL-15

CAC/PKI FAQ

DoD Public Key Infrastructure And Public Key-Enabling FAQs

How to Modify Certificate Trusts

Below, are the steps to follow if you received the error message "unable to modify the trust store" after attempting to trust a known user's certificate in Groupwise. All steps are performed using the Groupwise client.

****This applies to Windows XP and Windows Vistas workstation only****

1. Log into Groupwise; make sure at the Mailbox screen
2. Click Tools
3. Scroll down and select Options
4. Double click on Security
5. Select Send Options
6. Locate the Name box in the Select a security service provider field
7. Using the Pull Down, select Microsoft Base Cryptographic Provider v1.0
8. Click Ok to go back to the Options box
9. Click Close
10. Click the e-mail that has the certificate that needs to be trusted
11. From Security Warning screen, click the Signing Certificate Tabs
12. Click the Modify Trust Tab
13. Select the I trust this certificate option
14. Click Ok
15. Click Yes to any message that may appear, then click Ok
16. Click Continue
17. Click Tools
18. Scroll down and select Options
19. Double click Security
20. Go back to the Name box and, using the pull down, select ActivCard Gold Cryptographic Service Provider
21. Click Ok
22. Click Close to exit out

Users should be able to trust incoming certificates.

How to Update E-mail address and certificates on CAC

Defense Manpower Data Center's (DMDC) User Maintenance Portal (UMP), is designed to allow users to change/update e-mail addresses and download and install new e-mail signature and encryption certificates onto the CAC from the convenience of their own desktop. This service is accessible both from a .mil connection (within USUHS) and by using Internet connection from home using commercial carriers (i.e Comcast, Verizon). User will need to have either a built-in or USB-connected CAC reader to their computers to access the site at https://www.dmdc.osd.mil/appj/ump/FaqAction.do

Please note that this site only works for updating e-mail address and certificates on the CAC. Members with expiring CAC still need to visit a RAPIDS/DEERS center to obtain a new CAC.

CAC

IT Approvals Equipment/Phones

IT Policies and Procedures

Applications/Web

Network/Telecom/IA

Software / MEEC (Official Use)

Software / MEEC (Personal Use)

Support

Contact Information

4301 Jones Bridge Road
G074
Bethesda, Maryland 20814
Voice: Comm (301) 295-9800
DSN 295-9800
help@usuhs.mil