Common Access Cards (CAC's) are government ID smartcards. Basically they come with a chip on which you have some PKI certificates installed (used for network authentication, digital signing and email encryption/decryption in conjunction with a PIN) and is often used as a way to access certain government sites/ or buildings and certain government websites; government employees and contractors may also need additional proximity cards and/or smartcards for access to certain restricted buildings or areas at a government site. (This is not privileged information; in fact, you'll find a Wikipedia page on CAC's, and an Internet search will reveal a number of websites which discuss practical aspects of using CAC's, resolving issues, etc., not requiring access to government networks, including militarycac.com, which I'll briefly describe as a key resource below.)
I've needed CAC's for multiple gigs over the past decade. I say plural because I'm not a civilian (federal employee) and typically they are tied to contract expiration's and also must be surrendered if you quit or otherwise leave your position (need to have basis). It can be painful; for example, in a gig I had from 2017 to 2019, contract option years were figured into CAC expiration, and I had to get mine renewed; there were technical issues because the new CAC certificates were incompatible with old secure emails.
The COVID-19 crisis has backlogged local CAC processing, and so I had to go to a government facility in downtown Baltimore to get my CAC. I had been issued a government laptop off-site; basically the way the process works, my CAC is used to access the notebook and it first needs to be authenticated by connecting securely to the government network, and then authentication is cached to the PC, enabling logon (including without network authentication). Long story short, there's a known technical issue with certain newer CAC certificates from one of a couple of certificate authorities, and the network balked at my CAC because of that problem.
The government laptop comes with a card reader, but it's not usable because I can't logon without the cached CAC authentication (you don't get usable feedback; it simply states it's unable to validate my credentials, not that I entered an invalid PIN). I made an appointment at a desktop support group at the local facility, and the local technician identified the CA issue mentioned earlier.
This puts me in a bind because I needed to access my government email to respond to related service issues, also to do certain required training/certificates to get my own (vs. a visitor) network account, and whereas I didn't have to connect to the government network to access at least some alternatives, the websites typically require CAC authentication. So I had to acquire a USB smartcard reader; you can buy one for about $15 from a variety of vendors at Amazon.com. In addition, in my experience, I also had to buy a licensed copy of ActivClient for about $35 (see militarycac.com for the vendor). (Some sources or experts will tell you that you don't need the software with Windows 10, but in my experience, while Windows 10 could see the smartcard reader, it looked like an empty/inaccessible disk drive.) I also downloaded and installed/ran two executables from militarycac.com: InstallRoot...msi and HomeUserCertTool..zip.
The device "documentation" sucked. Let me quote:
"Red Light = Functional" (will change to blue when inserting CAC card)
Actually, the device comes with two lights, a power light, which is blue, and a second red light which blinks/doesn't change color with CAC insertion.
It also states "For 3rd party software, certificate, see militarycac.com". Presumably they are referring to ActivClient (see above). Once you have ActivClient installed, you should be able to see/open the CAC and see the certificate.
They also provide a URL to download the device driver. No such driver available, but apparently the Microsoft device driver is functional. As I said, the documentation sucks.
Finally, many government websites certify on Internet Explorer for support purposes. I found one training website worked well with Chrome. Some browsers, including Chrome, don't like certificates of other websites and won't let you to the URL. Ironically, I found webmail seems to work well with a Chrome cousin, Brave. [See addendum below.] Be careful with URL's; for example. one site required 'www.' at the beginning of the domain name, and another seemed to require '/owa' at the end. In Internet Explorer you may need to clear (content) state to reread your CAC and/or clear certificates via another security tab in Internet options. Sometimes you will get a failed validation, which can be resolved by removing and reinserting your card and trying to logon by CAC again. In a few cases you may need to refresh your browser to see your USG banner warning page.
Your mileage may vary; I don't know/think all or most will have two lights, one blue or one red. (I still can't forget my Commodore 64 floppy drive documentation back in grad school warned something like "Never insert/remove a floppy with the green light on!" Well, the green light was a power light! It also warned, "Don't power down the drive with a floppy in it!" Okay, how the hell are you supposed to use a program disk? I decided they really meant to say when you were writing to a data disk (say, an amber light blinking), but I really didn't want to lose my $35 program floppy.) Hopefully this guidance helps others; militarycac.com is very good but lacks the context I've provided here.
[Important addendum: 6/2/20.] In using Brave I was referring to regular emails, i.e., not using secured email functionality like signed/encrypted emails. In Windows, this is enabled by S/MIME functionality accessible through and/or installed with 32-bit Internet Explorer (\Program Files (x86)\Internet Explorer\iexplore.exe) in conjunction with ActiveX controls. In my system, S/MIME was not installed by default, but a link to the install was available by drilling through the Options menu in Outlook Web App. Note I sometimes have to refresh IE after signing into OWA with my CAC ID/PIN to get the USG banner warning, a prerequisite to opening the mail app.
