Centrify - Securing the Cross Platform Data Center
Showing results for 
Search instead for 
Do you mean 

[Archive] The Centrify Apple Guys

About Centrify and PIV Certificate Problem

About Centrify and PIV Certificate Problem

By Nao on ‎02-14-2014 06:01 PM - last edited ‎09-10-2014 02:19 PM

Update: Sept 2014


  • The issue below has now been fixed in version 5.2.0 of Centrify Express for Smart Card (Centrify Suite 2014.1).
  • If you are one of the affected users and have been swapping your tokends around like crazy, please update to the latest version today.
  • If you run into any further issues, or just want to praise the talents of our amazing developers, please let us know in the Centrify Express for Smart Card Forums.

  • Note:
    As of version 5.2.0, the last supported version of OS X with Centrify Express is 10.7 Lion. 
    OS X 10.6 is no longer supported, however version 5.1.0 of Centrify Express for Smart Card (which still works with 10.6) will still be made available for download here.






 Happy Valentine's Day!


We received a report about a login problem on a military web site, using a Dual Persona card and Centrify product.  In the interests of simplicity, I’m going to break this blog into several separate sections beginning with the customers’ environment.


The Customer’s Environment


- User has a Dual Persona card (also known as CACNG or Dual-Identity)

- User wants to log in to a web site that is protected by PIV Authorization certificate, e.g., web.mail.mil

- User has installed either Centrify Express for Smart Card, or Centrify for Mac. 


Steps to Reproduce


1. Install Centrify Express for Smart Card or Centrify for Mac. 

2. Install necessary certificate chain, e.g., DOD Root and Corresponding CA certificates.

3. Insert the Dual Persona smart card into the smart card reader. 

4. Go to a military web site that requires PIV certificate, e.g., web.mail.mil


Expected Result


User logs in successfully to web.mail.mil using PIV certificate. 


Actual Result


User is denied login.


The Root Cause


Our Centrify product ships with four tokend (smart card drivers) - CAC, CACNG, PIV, and BELPIC.  When the Dual Persona card is inserted, CACNG tokend is assigned as the card's driver.  The CACNG tokend has a problem using the PIV certificate for digital signature and as such, a web login is impossible.


Proposed Workaround


Luckily for everyone, Centrify ships another tokend with our Mac product, the PIV.tokend. This driver is capable of the digital signature operation with Dual Persona PIV certificate.


To use this workaround, you must force the Mac to choose PIV.tokend.  This is done by removing CACNG tokend from OS X's tokend folder. 


1. Open Terminal

2. cd /System/Library/Security/tokend/

3. sudo mkdir tmp

4. sudo mv CAC* tmp/

5. Remove and insert your card again

6. Open Keychain Access.  Make sure the card appears as "PIV-*" in the top left hand corner of the Keychain Access App

7. Try going to web.mail.mil web site. (If you are using Safari, and you have the credential association to web.mail.mil, you may have to remove it so that you can select the right certificate.)


This workaround may cause a problem if you try to use a different certificate on the Dual Persona card, for a different purpose.  If you observe this problem, you can undo the changes to tokend:


1. cd /System/Library/Security/tokend/

2. sudo mv tmp/CAC* .


Centrify’s Long Term Fix


We have confirmed the problem in Centrify and the tokend driver, and are working on the fix.  Our plan is to have this done in the next release of Centrify for Mac, and Centrify Express for Smart Card.


If you have any questions or concerns, please comment on this blog, or please contact our Support at support@centrify.com.


Thank you very much for using Centrify product!

About the Author