Download the 5 files via links below (you may need to <ctrl> click, select Download Linked File As... on each link) Save to your downloads folder
Please know... IF You have any DoD certificates already located in your keychain access, you will need to delete them prior to running the AllCerts.p7b file below.
https://militarycac.com/maccerts/AllCerts.p7b,
https://militarycac.com/maccerts/RootCert2.cer,
https://militarycac.com/maccerts/RootCert3.cer,
https://militarycac.com/maccerts/RootCert4.cer, and
Double click each of the files to install certificates into the login section of keychain
Select the Kind column, verify the arrow is pointing up, scroll down to certificate, look for all of the following certificates:
DOD EMAIL CA-33 through DOD EMAIL CA-34,
DOD EMAIL CA-39 through DOD EMAIL CA-44,
DOD EMAIL CA-49 through DOD EMAIL CA-52,
DOD EMAIL CA-59,
DOD ID CA-33 through DOD ID CA-34,
DOD ID CA-39 through DOD ID CA-44,
DOD ID CA-49 through DOD ID CA-52,
DOD ID CA-59
DOD ID SW CA-35 through DOD ID SW CA-38,
DOD ID SW CA-45 through DOD ID SW CA-48,
DoD Root CA 2 through DoD Root CA 5,
DOD SW CA-53 through DOD SW CA-58, and
DOD SW CA-60 through DOD SW CA-61
NOTE: If you are missing any of the above certificates, you have 2 choices,
1. Delete all of them, and re-run the 5 files above, or
2. Download the allcerts.zip file and install each of the certificates you are missing individually.
Errors:
Error 100001 Solution
Error 100013 Solution
You may notice some of the certificates will have a red circle with a white X . This means your computer does not trust those certificates
You need to manually trust the DoD Root CA 2, 3, 4, & 5 certificates
Double click each of the DoD Root CA certificates, select the triangle next to Trust, in the When using this certificate: select Always Trust, repeat until all 4 do not have the red circle with a white X.
You may be prompted to enter computer password when you close the window
Once you select Always Trust, your icon will have a light blue circle with a white + on it.
The 'bad certs' that have caused problems for Windows users may show up in the keychain access section on some Macs. These need to be deleted / moved to trash.
The DoD Root CA 2 & 3 you are removing has a light blue frame, leave the yellow frame version. The icons may or may not have a red circle with the white x
or DoD Interoperability Root CA 1 or CA 2 certificate
DoD Root CA 2 or 3 (light blue frame ONLY) certificate
or Federal Bridge CA 2016 or 2013 certificate
or Federal Common Policy CAcertificate
or or SHA-1 Federal Root CA G2 certificate
or US DoD CCEB Interoperability Root CA 1 certificate
If you have tried accessing CAC enabled sites prior to following these instructions, please go through this page before proceeding
Clearing the keychain (opens a new page)
Please come back to this page to continue installation instructions.
Step 5a: DoD certificate installation instructions for Firefox users
NOTE: Firefox will not work on Catalina (10.15.x), or last 4 versions of Mac OS if using the native Apple smartcard ability
Download AllCerts.zip, [remember where you save it].
double click the allcerts.zip file (it'll automatically extract into a new folder)
Option 1 to install the certificates (semi automated):
From inside the AllCerts extracted folder, select all of the certificates
<control> click (or Right click) the selected certificates, select Open With, Other...
In the Enable (selection box), change to All Applications
Select Firefox, then Open
You will see several dozen browser tabs open up, let it open as many as it wants..
You will eventually start seeing either of the 2 messages shown next
If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'
Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers
or
'Alert This certificate is already installed as a certificate authority.' Click OK
Once you've added all of the certificates...
• Click Firefox (word) (upper left of your screen)
• Preferences
• Advanced (tab)
• Press Network under the Advanced Tab
• In the Cached Web Content section, click Clear Now (button).
• Quit Firefox and restart it
Option 2 to install the certificates (very tedious manual):

No Client Certificate Presented For Af Portal On Macbook Pro

Click Firefox (word) (upper left of your screen)
Preferences
Advanced (tab on left side of screen)
Certificates (tab)
View Certificates (button)
Authorities (tab)

No Client Certificate Presented For Af Portal On Mac Os

Import (button)
Browse to the DoD certificates (AllCerts) extracted folder you downloaded and extracted above.
Note: You have to do this step for every single certificate
Note2: If the certificate is already in Firefox, a window will pop up stating: 'Alert This certificate is already installed as a certificate authority (CA).' Click OK
Note3: If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'
Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers
Once you've added all of the certificates...
• Click Firefox (word) (upper left of your screen)
• Preferences
• Advanced (tab)
• Press Network under the Advanced Tab
• In the Cached Web Content section, click Clear Now (button).
• Quit Firefox and restart it
Step 6: Decide which CAC enabler you can / want to use
Only for Mac El Capitan (10.11.x or older)
After installing the CAC enabler, restart the computer and go to a CAC enabled website
NOTE: Mac OS Sierra (10.12.x), High Sierra (10.13.x), Mojave (10.14.x) or Catalina (10.15.x) computers no longer need a CAC Enabler.
Try to access the CAC enabled site you need to access now
Mac support provided by: Michael Danberry
-->
This article discusses steps about how to troubleshoot LDAP over SSL (LDAPS) connection problems.
Original product version: Windows Server 2003
Original KB number: 938703

Step 1: Verify the Server Authentication certificate

Make sure that the Server Authentication certificate that you use meets the following requirements:
  • The Active Directory fully qualified domain name of the domain controller appears in one of the following locations:
    • The common name (CN) in the Subject field.
    • The Subject Alternative Name (SAN) extension in the DNS entry.
  • The enhanced key usage extension includes the Server Authentication object identifier (1.3.6.1.5.5.7.3.1).
  • The associated private key is available on the domain controller. To verify that the key is available, use the certutil -verifykeys command.
  • The certificate chain is valid on the client computer. To determine whether the certificate is valid, follow these steps:
    1. On the domain controller, use the Certificates snap-in to export the SSL certificate to a file that is named Serverssl.cer.
    2. Copy the Serverssl.cer file to the client computer.
    3. On the client computer, open a Command Prompt window.
    4. At the command prompt, type the following command to send the command output to a file that is named Output.txt:
      Note
      To follow this step, you must have the Certutil command-line tool installed.
    5. Open the Output.txt file, and then search for errors.
No Client Certificate Presented For Af Portal On Mac

No Client Certificate Presented For Af Portal On Mac Download

Step 2: Verify the Client Authentication certificate

No Client Certificate Presented Af Portal Mac

In some cases, LDAPS uses a Client Authentication certificate if it is available on the client computer. If such a certificate is available, make sure that the certificate meets the following requirements:
  • The enhanced key usage extension includes the Client Authentication object identifier (1.3.6.1.5.5.7.3.2).
  • The associated private key is available on the client computer. To verify that the key is available, use the certutil -verifykeys command.
  • The certificate chain is valid on the domain controller. To determine whether the certificate is valid, follow these steps:
    1. On the client computer, use the Certificates snap-in to export the SSL certificate to a file that is named Clientssl.cer.
    2. Copy the Clientssl.cer file to the server.
    3. On the server, open a Command Prompt window.
    4. At the command prompt, type the following command to send the command output to a file that is named Outputclient.txt:
    5. Open the Outputclient.txt file, and then search for errors.

Step 3: Check for multiple SSL certificates

Determine whether multiple SSL certificates meet the requirements that are described in step 1. Schannel (the Microsoft SSL provider) selects the first valid certificate that Schannel finds in the Local Computer store. If multiple valid certificates are available in the Local Computer store, Schannel may not select the correct certificate. A conflict with a certification authority (CA) certificate may occur if the CA is installed on a domain controller that you are trying to access through LDAPS.

Step 4: Verify the LDAPS connection on the server

Use the Ldp.exe tool on the domain controller to try to connect to the server by using port 636. If you cannot connect to the server by using port 636, see the errors that Ldp.exe generates. Also, view the Event Viewer logs to find errors. For more information about how to use Ldp.exe to connect to port 636, see How to enable LDAP over SSL with a third-party certification authority.

Step 5: Enable Schannel logging

Enable Schannel event logging on the server and on the client computer. For more information about how to enable Schannel event logging, see How to enable Schannel event logging in Windows and Windows Server.
Note
If you have to perform SSL debugging on a computer that is running Microsoft Windows NT 4.0, you must use a Schannel.dll file for the installed Windows NT 4.0 service pack and then connect a debugger to the computer. Schannel logging only sends output to a debugger in Windows NT 4.0.