CAC Authentication

A common question we receive from users of our readers is “If I have already inserted the 9a certificate, why do I still need to use my reader and CAC?”

The CAC is what actually does the authentication, not the certificate. The certificate helps to identify who is authenticating, but the actual authentication is done on the CAC. The private key on the CAC is required for authentication and cannot be copied from the card.

Example Authentication

To illustrate this process, here is the example of the authentication process when using a common website requiring CAC / Smart Card credentials.

1. First, a certificate in the CAC / Smart Card (such as the 9a cert) is read from Smart Card Utility (SCU) and inserted into iOS. This enables iOS to select the certificate and use the card for authentication for any app or website that requests it.
2. When you navigate in Safari to a website, such as MyPay, the website requests CAC authentication (this is called “mutual TLS”). Safari returns the certificate that was inserted (or prompts the user if there are multiple).
3. Next the website requests safari to send the private key authentication from the CAC.
4. Safari sends the authentication data request to Smart Card Utility.
5. Smart Card Utility uses the certificate to determine what slot to use. If the slot has not been unlocked, the user is then prompted for a PIN and the slot is unlocked.
6. The authentication information is then sent to the card and the card processes the authentication and sends back a response.
7. This response is then sent from Smart Card Utility to Safari.
8. Safari then returns this response to the website, and if correct, the user is authenticated.