CAC Cert Issues

For ECA certificate issues, please reference the following page: ECA Certs

If you have a CAC and have already gone through the process of submitting your certificate for access to the eMC², you may have run into an issue when you attempt to log into the site. The issue is that it repeatedly asks for your CAC pin. This appears to be a common issue with the DOD EMAIL CA-XX certificates. The DOD CA-XX (no EMAIL) certs don't seem to have the issue. If you went to a separate computer, there is a good chance your login would be successful. Here are steps to take to possibly remedy the problem on your computer.

Note, for reference if you are interested, some of these instructions were gathered from various DoD related sites. i.e. http://iase.disa.mil/

1. IE Cache clearing.
a. Delete your Internet Explorer browser history. This is done in Tools > Internet Options


b. Clean SSL State
This is done in Tools > Internet Options > Content tab > Clear SSL state


After doing that, restart Internet Explorer and try accessing the site again.


2. Republish your certificates. Sometimes removing certs from Internet Explorer and then republishing them alleviates issues.
To remove the certs, open Tools > Internet Options > Content tab, then click the Certificate button. You will need to click on each of the certs labelled with DOD EMAIL CA-XX, and DOD CA-XX, and then click the Remove button.


After they are removed, open your ActivClient software. This is usually in
Start > All Programs > ActivIdentity > ActivClient > User Console.
Ensure that your CAC card is inserted and shows up in the ActivCard view panel. Then go to
Tools > Advanced > Make Certificates Available to Windows

After doing that, restart Internet Explorer and try accessing the site again.


3. Run the root cert issue resolver tools provided by the government. Click the "Tools" tab to find them.

CROSSCERT REMOVER
Crosscert Remover fixes and issue with some outdated Root CAs. Download this zip file, extract the file and then run the FBCA_crosscert_remover_v111.exe file
http://emc2.linquest.com/static/files/FBCA_crosscert_remover_v111.zip

IE will probably prompt to see what you want to do. Choose "Open" or what ever equivalent in your browser or version. Or if that is problematic, download the file to your computer and then open it from there.

- OR -


Winzip will likely open and show you the file inside. Double click the file to run it.

You may get a prompt verifying if you wish to run the file. If so, click "Yes"


When the program executes, it will spawn a command window and stall awaiting your input. Press the ENTER key to proceed.

When the program runs, it will be cleaning up the certs. Once complete, it will ask your input again. Click ENTER again.


______________________________________________________
INSTALL ROOT
Install Root will place necessary Root CAs onto your computer. Download this zip file and then run the EXE file that it contains
http://emc2.linquest.com/static/files/InstallRoot_v3.16.1A.zip

IE will probably prompt to see what you want to do. Choose "Open" or what ever equivalent in your browser or version. Or if that is problematic, download the file to your computer and then open it from there.

- OR -


Winzip will likely open and show you the file inside. Double click the file to run it.

You may get a prompt verifying if you wish to run the file. If so, click "Yes"


When the program executes, it will spawn a command window and you likely will get a prompt referring to installing CAs, go ahead and chose "Yes"


Then the program will quickly execute and should load quite a few CA files to your system.


At the end, Windows 7 may display the following prompt. Just choose "This program installed correctly"



4. ActivClient Software
It is possible that you are running an outdated version of ActivClient software that is used to access the certs on your CAC card. The following page has details about this.
ActivClient Installation


5. Old/Expired Cert Removal
Certs expire over time and some of these remnants may cause issues. It is best to delete expired certs from your system. But please take note that if you have old email messages that were encrypted using those certs, they will not be accessible after you remove the certs from the system. It is best to (a) go through your encrypted messages and delete ones that are no longer relevant. and (b) decrypt the relevant ones. Click here for decrypt instructions

First remove certs from Internet Explorer
1. Open Internet Options > Content tab > Certificates.
2. Of course, remove all certs that have expired.
3. Also remove any certs listed with DOD EMAIL CA-XX, and DOD CA-XX and click the Remove button.
4. Reboot
5. Reload the certs. Windows 7 seems to be able to do this automatically. Or load ActivClient software and then go to Tools, Advanced, Make Certificates Available to Windows

OK, now clear your certs in ActivClient Software
1. Inside ActivClient, click on Tools, Advanced, select Forget State for all cards.
2. Reboot system for good measure.
3. After logging in, insert CAC and then open ActivClient. Then go to Tools > Advanced > Make Certificates Available to Windows





If you need a further assistance with your account/access, click here



RETURN TO MAIN PAGE