A Common Access Card (CAC) is a smartcard containing certificates and private keys used for accessing computers, online systems and networks. CACs are often employed for strong authentication because they combine “something the user owns” with “something they know”.
SL1 supports CAC authentication by creating a credential source aligned to CAC in either its default profile or through creating an entirely separate CAC profile. For more information, refer to the Certificate Troubleshooting Instructions.
PKI Certificates
CAC certificates are secure identification cards designed to offer two-factor authentication: what you own (the card) and what you know (your PIN). They’re used for many different applications, from online shopping and signing digital contracts, to authentication via hardware card reader, software middleware drivers and keychain technology. CAC cards can help prevent identity fraud, counterfeiting, tampering or exploitation – as well as speed up equipment issuance while improving physical and logical security.
As well as CAC certificates, this system employs certificates and CRLs signed by trusted root authorities, with expiration dates and signature revocation requests sent out if one becomes compromised. A CRL serves an integral function in security by verifying whether certificates issued from these trusted root authorities remain valid.
If a data handler plans on initiating or continuing cross-border transfers of personal information outside China, its volume must meet certain thresholds as stipulated in the Guidelines. For instance, companies planning on moving over one million individuals’ information must undergo CAC security assessment; those moving 10,000 or fewer don’t require one.
The CAC security assessment process includes several steps, including self-evaluation and submission of application materials in accordance with prescribed formats. Business organizations should ensure all required sections are covered within their applications such as necessity/purpose of transfer/overseas storage/remedy mechanism/liability resolution are covered appropriately.
The CAC security assessment process is an integral component of GDPR compliance efforts. It ensures that only trustworthy entities have access to EU citizen’s personal information, while protecting it against unwarranted access, use or deletion. Although complex, CAC security assessments remain essential when moving information across borders.
SAN Field
SSL certificates provide reliable website and server security by encrypting every byte that travels between two ends, rendering it nearly impossible for cyber thieves to intercept information as it flows. Plus, these certificates support all major browsers allowing customers to browse regardless of platform used allowing businesses to reach more potential clients.
Subject Alternative Name Certificates
An SSL certificate’s Subject Alternative Name field, commonly referred to as the SAN field, allows you to secure multiple domains using one certificate. Most CAs allow up to 100 SAN entries in each certificate; to check how many entries there are with one of your certificates click the padlock icon and choose “Certificate,” then scroll down until you see “SAN,” where you should note how many are included with it.
Wildcard certificates allow you to secure any number of subdomains, while SAN certificates allow for multiple domains with just one certificate, but are more costly. They do provide great flexibility as you can add or remove subdomains without needing to reissue an entire certificate at any time.
SAN certificates offer several distinct advantages over traditional certificates, including their versatility: web and mail servers can both use them to protect information. They’re particularly beneficial in multi-platform environments like unified communications (UC) or Microsoft Exchange where one certificate can cover both sites – saving both time and money in the process!
Security experts can quickly access an SSL certificate’s list of Subject Alternative Names by clicking on its padlock icon and selecting “Certificate.” A field called Subject Alternative Name displays this list so they can quickly check that they contain accurate information.
The SAN field is an essential feature that allows Certificate Authorities to offer multi-domain certificates at a reasonable price, while also being used for authenticating clients, thus reducing administrative costs and providing extra security benefits such as protecting against spoofing and phishing attacks.
EDIPI Number
The Common Access Card (CAC) is a smart card issued by the United States Department of Defense to provide authentication and network access for military personnel and civilians alike. Resistant to identity fraud, tampering, counterfeiting and enhanced physical/logical security features. A credit-card-sized CAC contains one or more certificates; its use has become standard among active duty and reserve military personnel as well as DoD civilian employees and eligible contractor personnel.
CAC authentication relies on PKI (public key infrastructure), which generates encryption keys for secure communications and is stored on an integrated circuit chip in each card. Only its owner knows the private key’s location and how to decrypt information stored therein.
Each CAC card possesses three PKI certificates with various functions. The Personal Identity Verification Certificate, or PIV Auth Cert, serves to identify individuals for identification purposes and contains their EDIPI number – this field uniquely identifies an individual by role – such as when DoD contractors who also act as Reserve members have two EDIPI numbers on their certificate.
For optimal use of CACs, users must install appropriate middleware and drivers on their computers. These programs may be freely or at a nominal cost available only to authorized users and must be installed before you can login using your CAC to any website. ActivClient is one such approved Microsoft Windows middleware available from DMDC, and should be downloaded here before trying any CAC out yourself.
If you change roles within the Department of Defense (DoD), separate from military service or terminate your contract, your CAC must be returned immediately in order to prevent unapproved use of its private key. If this no longer applies to you, simply bring it back using the DMDC-ID Card Office Locator; alternatively send it by mail to DRDC – DSC ATTN: CAC Returns 2102 E 21st Street N, Wichita KS 67214.
PIN
The Common Access Card (CAC) is the United States Department of Defense’s standard identification credential used for employees and eligible third-party personnel who want access to DoD computer systems and facilities. The card contains a Public Key Infrastructure certificate and associated private key that authenticate users accessing DoD networks, as well as a PIN number to prevent authorizable users from gaining entry to this information.
A card can be used for visual identification by matching its owner with those trying to gain entry to a secured facility or system, and used as government ID when voting or applying for driver’s licenses. Furthermore, its two-factor authentication meets standards; being both something physical (the card itself) as well as something you know (a PIN number).
CACs can be used to access websites secured with Silo. Once inserted into a reader connected to the computer, users need only enter their PIN code to gain entry to their desired websites. Readers may either be built-in to laptops or separate USB devices that provide this access.
Before users can use their CAC to log on, they must first configure their Authentication Profile accordingly. To do this, navigate to the Authentication Profiles page (System > Settings > Authentication > Profiles), click on the wrench icon for their default profile, select “Cac Client Certificate Auth”, and click OK.
If a user wishes to log on from a browser not supported by CAC authentication, they can set up an emergency account (“break glass” account) by visiting the Authentication Profiles page and clicking on the wrench icon for their default profile – this will only use their em7admin account as a last resort.
The CAC is a secure smart card that stores its owner’s public certificate and its associated private key to authenticate them to the Service Manager web tier, and use that private key when signing documents.