Certificate Login Errors
For sites that support or require PKI authentication, users sometimes encounter errors related to presenting certificates. The DoD Cyber Exchange site is a good resource for getting started with PKI/PKE.
Instructions for configuring your browser to use PKI.
Some Windows users are able to resolve certificate and/or TLS connection issues by adding the site to the Trusted Sites list in their browser.
Make sure your CAC is inserted
It happens to all of us at one time or another. If you are attempting to connect with a CAC, please make sure that it is fully inserted and readable by your operating system.
Bad Password/Locked CAC
If you mistype the PIN or password on a soft certificate, the certificate will not be sent over, and you will be unable to log in.
DoD-issued Common Access Cards (CACs) are designed to lock after three incorrect PIN entries. In some operating system/browser combinations it is not clear that the CAC is locked when being presented in the browser. To check if a CAC is locked, try unlocking the CAC via the local certificate middleware (e.g. ActiveClient on Windows or the Keychain on macOS).
- Usually appears as: “No Client Certificate was found in your browser“
If your browser presents you with the above error message, or if the certificate selection prompt does not display the correct certificate, the issue is most likey a misconfiguration of the Operating System or Browser. Please see the sections below for possible solutions:
- Configuring Browsers
- Supported Certificate
- Locked CAC
- Cross Certificate Issue *Try this one if the browser appears to be configured correctly
If you are experiencing issues with a mismatched certificate when attempting to log into CONS3RT, you may have to empty your browser cache. On macOS, hold down command-shift-r and then restart your browser. If the issue persists, please email the support team at firstname.lastname@example.org.
Only supported certificate issuers are authorized by for use in DoD sites. These include DoD CAC, DoD External Certificate Authority (ECA) and DoD Interoperability Providers. In CONS3RT, MITRE credentials are also supported. If the credential is not in the approved list, it will not appear as an option.
Cross Certificate Issue
Occasionally, certificate configurations on Windows systems can become unusable. One typically (but not always) encoutners this issue when a user receives new credentials from a different Certificate Authority (CA). It may look like the browser is presenting a certificate to the website, but in reality, it is not. This issue can be fixed by running the Cross Certificate Removal Tool.
- Download the Cross Certificate Remover Tool