6.3
Common Access Card Support

PIEE Supported Digital Certificate Types

PIEE two-factor login and digital signature requirements. DoD users must use the Identity Certificate and not any of three remaining certificates on the CAC.

Certificate Type Intended Purpose PIEE Support
DoD PKI Identity Key
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Logon
  • XML Digital Signatures
  • Screened to preclude certificates not asserting hardware policy2
DoD PKI Signature Key
  • Logical Access (Smartcard Login) to local networks
  • Email Distribution Signature with Non-repudiation (Outlook requires special extension)
  • Not Supported
  • Screened to preclude use of certificates issues by eMail CA's
DoD PKI Encryption Key
  • Key Encipherment (Email encryption)
  • Not Supported
  • Screened to preclude use of certificates issues by eMail CA's
DoD PKI PIV Authentication Certificate
  • Logical access (Smartcard Login) to non-DoD Federal Systems
  • Not Supported
  • Screened to preclude use of certificates not intended for non-repudiation purposes
  • User must use the CAC issued for the PIEE authorized role and organization affiliation1
DoD PKI ECA Identity Certificate
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD-managed ECA PKIs
  • Screened to preclude certificates not asserting hardware policy2
Category I: U.S. Federal Agency PKI PIV
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD approved external PKIs
  • Screened to preclude certificates not asserting hardware policy2
Category II: U.S. Federal Agency PKI PIV
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD approved external PKIs
  • Screened to preclude certificates not asserting hardware policy2

1 An example of a dual persona person is one who has a CAC issued as a contractor and a CAC issued as a member of the Army Reserves. This individual has two CACs, but until the PIV Auth Cert is activated on their CAC cards, they only have one digital identity. The PIV Auth Cert has a field that is unique for each persona. This is a 16 digit numeric field that starts with a 10 digit Electronic Data Interchange Person Identifier (EDIPI) and adds to it a 6 digit Federal Agency Smart Credential Number Role specific attribute.

2 Given the sensitivity of information processed by PIEE, DoD Instruction 8520.03 required Credential Strength is “D”. This Credential Strength is equivalent to the OMB / NIST defined Identity Assurance Level 4.


Certificate Troubleshooting

Certificate Issues


Fixes / Possible Solutions


1 Certificate Issues

1.1 No Certificates Found

When attempting to log in or register with a CAC users may receive the following error:

  • No Certificates Found

  • Note: Only X509 Certificates from your Personal Certificate Store that are used for Digital Signing and Non-Repudiation will be displayed.

Possible Causes:

  • Improperly configured Java settings
  • Inoperable ActivClient
  • Wrong ActivClient version
  • User has no X509 certificates [Missing Digital Signature from Key Usage]
  • User Certificates are not available to Windows through Active Client
  • User is Dual Persona or Foreign National

Possible Solutions:


If the certificate selection window is entirely blank, E.G. there are no error messages present: Clear Browser Cache

Return to the TOP of Certificate Troubleshooting


1.2 JRE 32/64 bit is required

When attempting to log in or register with a CAC users may receive the following error:

  • The JRE (Java Runtime Environment) is not installed or the Java Plug-in is disabled.

  • Get the latest JRE (which includes the Java Plug-in) here if the JRE is not already installed.

  • If the JRE is already installed, then follow these steps to enable the Java Plug-in:

  • 1. Go to Start > Control Panel > Java Control Panel > Advance tab > Java Plug-in
  • 2. Select the check box for Enable next-generation Java Plug-in.
  • 3. Click OK and restart your browser.

  • OR

  • Procurement Integrated Enterprise Environment requires 32-bit JRE (Java Runtime Environment) version 1.7.0_01 or above for 32-bit browsers.

Possible Causes:

  • The Java Plugin is disabled, or is not functioning correctly
  • The Java Plugin is being actively blocked by anti-virus software or security settings
  • The Java Plugin was recently updated without older versions(s) being removed/uninstalled.
  • An incompatible browser version is being used - such as 64-bit vs 32-bit or the browser compatibility settings are invalid

Possible Solutions:


Return to the TOP of Certificate Troubleshooting


1.3 Java Error

When attempting to log in or register with a CAC users may receive the following error:

  • Error. Click for details
  • [Upon Clicking]
  • ClassNotFoundException
    • Com.wawf.web.applet.XmlSignatureApplet

    • [Details] [Ignore] [Reload]

Possible Causes:

  • Clicking "Cancel" or closing a security prompt from Java requesting permissions to run.
  • Current Java security settings are preventing self-signed applets from running

Possible Solutions:


Return to the TOP of Certificate Troubleshooting


1.4 A problem with this site caused IE to close

When attempting to log in or register with a CAC users may receive the following error:

  • A problem with this website caused your browser to unexpectedly close, the following tabs have been recovered.

  • This issue can also be presented as receiving "Session ID Assigned Twice " immediately after attempting to log in with a certificate.

Possible Causes:

  • An error within the Java Plugin causes the browser to unexepectedly crash

Possible Solutions:


Return to the TOP of Certificate Troubleshooting


1.5 Signature on Random Number Challenge invalid

When attempting to log in or register with a CAC users may receive the following error:

  • Error Signature on Random Number Challenge invalid.

Possible Causes:

  • This is an issue with the way the user's browser is accessing the CAC

  • Call gscBsiGetChallenge() to retrieve a random challenge from the smart card. The random challenge is retained by the smart card for use in the subsequent verification step of the External Authentication protocol. The client application calculates a cryptogram by encrypting the random challenge using a symmetric External Authentication key. The client application may need to examine the keyIDOrReference member of the appropriate ACR returned in GCacror CRYPTOacr to determine which External Authentication key it should use to encrypt the random challenge

Possible Solutions:


Return to the TOP of Certificate Troubleshooting


1.6 Site security certificate error

When a user accesses https://wawf.eb.mil they may receive a prompt that the security certificate presented are invalid/untrusted/not yet valid / expired.

The exact message will depend on the browser used


Possible Causes:

  • Has not installed the DoD certificate authorities
  • The PC date and time is incorrect

Possible Solutions:

  • Complete the Machine Setup under New User
  • Correct the system date and time

If the option to continue to the site is not available:

  • Not option to continue to site in IE

Return to the TOP of Certificate Troubleshooting


1.7 Certificate trust validation failed

When attempting to log in or register with a CAC users may receive the following error:

  • Error: The certificate validation trust failed ...

Possible Causes:

  • The certificate is unreadable or valicert is unavailable
  • The certificate used is invalid
  • The certification path on the certificate contains invalid entries
  • The certificate used is not on the trusted issuer list

Possible Solutions:


Return to the TOP of Certificate Troubleshooting


1.8 Session ID Assigned Twice

When attempting to log in or register with a CAC users may receive the following error:

  • Error: A situation has occurred where your 'Session ID' has been assigned twice. In order to continue to use the application it is required for you to CLOSE YOUR BROWSER. Once you have closed and reopened your browser, you will be able to continue with the Procurement Integrated Enterprise Environment. If you are using the IE 7 browser or a greater version of IE browser then close the whole browser, do not attempt to login on multiple tabs.

Possible Causes:

  • Closing your browser window without logging out of PIEE
  • PIEE open on another tab.
  • Browser unexpectedly crashed and auto-recovered.

Possible Solutions:


Return to the TOP of Certificate Troubleshooting


1.9 Online Certificate Status Protocol (OCSP) Errors

When attempting to login or register with a CAC users may receive errors related to the OCSP.

Most OCSP errors during CAC login are caused by network outages, OCSP server misconfiguration or downtime, and/or Certificate Revocation Lists are not updated.

The Certificate Revocation Lists (CRL) are cached for the PIEE server certificate and applet code signing certificate as this is handled on the Operating System / Browser level.

Verification

  • Has the certificate login ever worked with this certificate?
  • Are other users receiving the same error?
  • Is OCSP available?

Possible Solutions:

If CAC login has worked in the past and there are no known or reported issues connecting to the OCSP

  • Clear Browser Cache
  • Clear Java Cache
  • To delete OCSP and/or CRL cache from your Windows system:
    • Go to Start Menu > Run
    • Type cmd and press Enter
    • In the command promp, type the following command and press Enter to execute:
    • certutil -urlcache * delete
    • Reboot your computer
  • Obtain a copy of the certificate and contact the service desk

If CAC login has NEVER worked

  • Obtain a copy of the certificate and contact the service desk

Return to the TOP of Certificate Troubleshooting


1.10 Next update value not found in the CRL list

When attempting to log in or register with a CAC users may receive the following error:

  • Error: Next update value not found in the CRL list

Possible Solutions:


Return to the TOP of Certificate Troubleshooting


1.11 The Login Certificate does not contain the Non-Repudiation

When attempting to sign a document with a CAC users may receive the following error:

  • The Login Certificate does not contain the Non-Repudiation.

Not all roles in the Procurement Integrated Enterprise Environment (PIEE) require Non-Repudiation because some role are not required to sign documents as part of their job duties. For this reason, Non-Repudiation is not required during registration and login. However, if you registered for a role in the PIEE that requires you to sign documents with a CAC then you must choose a certificate that has both Digital Signature and Non-Repudiation for Key Usage.

If you are receiving the error above then you have register with a certificate that only has Digital Signature for Key Usage. To correct this, you do not need to re-register, you simply need to change your existing certificate to one that has both Digital Signature and Non-Repudiation for Key Usage.

Note: If you can login to the PIEE with a CAC, then your ActiveClient must work as login needs to read Certificate data from your CAC.

Solution:

Prior to changing the certificate associated with your account, you must ensure that you have a certificate that has both Digital Signature and Non-Repudiation for Key Usage.

  • Login to the PIEE with your CAC.
  • My Account > Change Authentication Type
  • Select your access type and click Certificate Login
  • Select a certificate that has both Digital Signature and Non-Repudiation for Key Usage and click OK.
  • On the summary page, click Submit
  • Logout and log back in with your new certificate.
  • Verify that your certificate is displayed with you attempt to sign a document.

Return to the TOP of Certificate Troubleshooting


1.12 The Login Certificate is not displayed when signing a document

When viewing the certificate via the ActiveClient, the Key Usage should display Non-Repudiation. If the certificate does not contain Non-Repudiation for the Key Usage, then either it does not have Non-Repudiation or the DoD Component of ActiveClient was not installed.

Solution:

Reinstall or modify the current installation of ActiveClient and on the Custom Setup portion of the InstallShield Wizard, scroll down and select US Department of Defence configuration.

Active Client Setup


Click Next and complete the rest of the reinstallation or modification.

View your certificate via ActiveClient and click on the Details tab.

Verify that the Key Usage now contains Non-Repudiation.

Active Client Key Usage


Return to the TOP of Certificate Troubleshooting


1.13 Your security settings have blocked a self-signed application from running

When attempting to log in with a CAC, users may receive the following error:

Active Client Key Usage


Verification:

  • Has the certificate login ever worked with this certificate?
  • Are other users receiving the same error?
  • Has InstallRoot been installed and ran?

Possible Solutions:


Return to the TOP of Certificate Troubleshooting



2 Fixes / Possible Solutions

2.1 Republish Certificate(s)

Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.

  • From an open Internet Explorer widow click Tools and select Internet Options or from the Control Panel click on Internet Options
  • Click the Content Tab
    • Under Certificates
      • Click Clear SSL State
      • Click OK on the confirmation that the cache was cleared
    • Click Certificates
    • Under the Personal Tab
    • Remove all listed certificates [NOTE: Email certificates can be left]
    • Once all certificate are removed click close and OK on Internet Options
  • Open ActivClient User Console
    • Start > All Programs > ActivIdentity > ActivClient
      • Select User Console
      • Click Tools
      • Select Advanced
        • Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
          • After confirmation, return to the Tools > Advanced menu
        • Click "Make Certificates Available to Windows"
      • The CAC certificates should now be republished and available to use.

NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this remove and republishes in one step)


Return to the TOP of Certificate Troubleshooting


2.2 Adjust/Correct Java Settings

  • From your control panel open Java.
  • From the Java control panel click onto the Security tab.
  • Lower the security settings to Medium
  • Click Edit Site List
  • Click Add and enter https://wawf.eb.mil
  • Go to the Advanced Tab
    • Scroll to Mixed code (sandboxed vs. trusted) security verification
      • Select Disable Verification
    • Perform signed code certificate revocation checks on
      • Select Do Not Check
  • Clear Java Cache

Return to the TOP of Certificate Troubleshooting


2.3 Adjust IE Settings

Adjusting the Internet Explorer Browser settings can solve many common problems. Not all of the following settings will be available to all users depending on local security policy.

  • From an open Internet Explorer widow click Tools and select Internet Options or from the Control Panel click on Internet Options
  • On the General Tab
    • Clear the Browser Cache
      • Under Browsing History click Delete
      • Uncheck "Preserve Favorites Website Data" [if available]
      • Check "Temporary Internet Files" [if unchecked]
      • Check "Cookies" [if unchecked]
      • Click Delete
    • Click Settings under Browsing History
      • Under Check for newer versions of stored pages
      • Select "Every time I visit the webpage"
      • Click OK
    • Click Settings under Tabs
      • Under When a Pop-up is encountered
      • Select "Let Internet Explorer decide …"
      • Click OK
  • Click Security Tab
  • Click Privacy Tab
  • Click the Content Tab
    • Under Certificates
      • Click Clear SSL State
      • Click OK on the confirmation that the cache was cleared
  • Click on the Advanced Tab
    • Under Browsing
      • Check [if unchecked] "Show Friendly HTTP error messages"
    • Under Security
      • Uncheck "Use SSL2.0"
      • Check "Use SSL 3.0"
      • Check "Use TLS 1.0"
      • Uncheck "Use TLS 1.1"
      • Uncheck "Use TLS 1.2"
  • Additional Steps:
  • If problems persist
    • From the Advanced tab under Reset Internet Explorer settings
      • Click Reset
      • NOTE: This will reset any custom settings the user may require. This should only be done if the end user understands this and the browser is otherwise unusable.

Return to the TOP of Certificate Troubleshooting


2.4 Toggle Java Plugin

Changes to Java plugin settings only take effect when the browser is restarted. All browser windows and any running applications should be closed before proceeding. These changes may require administrative access.

JRE 7 and higher

  • From your control panel, open Java.
  • From the Java control panel click onto the Security tab.
  • Select the check box for "Enable Java content in the browser" if it is not checked. Uncheck if it is checked.
  • At this point it is recommended to Clear Java Cache
  • Click OK [do not click apply]
  • Re-launch the browser and attempt to access PIEE if the plugin was disabled [unchecked] you should expect to see an error stating the Java plugin is disable or not installed. If the plugin was enabled [checked] the applet should run normally
  • If the plugin was disabled during the pervious steps repeat the process to enable the java plugin.
  • If at any point in this process the user is prompted for an administrative password they do not have permissions to make these changes and should seek a system administrator immediately.

Return to the TOP of Certificate Troubleshooting


2.5 Enable Java Via Internet Options

Changes to browser security settings usually require local administrative permissions. To adjust browser security settings to a custom level to enable or allow Java the administrator will do the following:

  • From an Internet Explorer window click Tools and then Internet Options or from the Control Panel select Internet Options
  • Select the Security tab, and select Trusted Sites
  • Click Sites and ensure https://wawf.eb.mil or https://*.eb.mil is in the trusted site list
    • Note - if the list is unavailable, or the user can't view the list they may not have admin rights
  • Click the Custom Level button
  • Scroll down to Scripting of Java applets
  • Make sure the Enable radio button is checked
  • Click OK to save your preference
  • Close your browser and re-launch to try accessing again.

Return to the TOP of Certificate Troubleshooting


2.6 Clear Browser Cache

Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system admin.

See also Adjust IE Settings

  • From an open Internet Explorer widow click Tools and select Internet Options or from the Control Panel click on Internet Options
  • On the General Tab
    • Under Browsing History click Delete
    • Uncheck "Preserve Favorites Website Data" [if available]
    • Check "Temporary Internet Files" [if unchecked]
    • Check "Cookies" [if unchecked]
    • Click Delete

Return to the TOP of Certificate Troubleshooting


2.7 Clear Java Cache

To clear your Java cache in Windows:

  • Click Start > Control Panel.
  • Locate and double click the Java icon in the Control Panel.
  • Click Settings under Temporary Internet Files.
  • Click Delete Files.
  • Select all boxes and click OK on Delete Temporary Files window.
  • Click OK on Temporary Files Settings window.

Return to the TOP of Certificate Troubleshooting


2.8 IE Compatibility View

Compatibility view can cause the PIEE website to function incorrectly when used with Internet Explorer. These settings may be restricted by local security policy and may require a local system administrator.

http://windows.microsoft.com/en-us/internet-explorer/use-compatibility-view#ie=ie-9 (External Link)

To turn Compatibility view Off (IE 9/10/11)

  • Click the "Tools" menu option at the top of the browser
  • Click the "Compatibility View Settings" menu option on the tools menu.
  • Remove any websites added to the Compatibility View.
  • Uncheck the "Display intranet sites in Compatibility View" checkbox.
  • Uncheck "Display all websites in Compatibility View"
  • Uncheck the "Use Microsoft compatibility lists" checkbox. [if available]
  • Close the "Compatibility View Settings" dialog.

For Internet Explorer 11 - to enable / disable emulation

  • Open Internet Explorer 11
  • Press F12 on the keyboard
  • Click Emulation button or press Ctrl + 8.
  • Under Mode, change Document mode to 11
  • Press F12 again to close the options
  • You can use IE11 as IE10/9.

Return to the TOP of Certificate Troubleshooting


2.9 Add Security Exemption to Java

Java update 7.51 initiated a security update that blocks self-signed applets.
The PIEE Java applet is a self-signed applet.
To counter this restriction an Exception must be added to the Java security settings.


Return to the TOP of Certificate Troubleshooting


2.10 Check Certificates in Internet Options

  • From an open Internet Explorer widow click Tools and select Internet Options or from the Control Panel click on Internet Options
  • Click the Content Tab
    • Under Certificates
      • Click Clear SSL State
      • Click OK on the confirmation that the cache was cleared
    • Click Certificates
    • Under the Personal Tab
      • Identify the listed certificates
        • Typical CAC users will have three listed certificates
        • Under Issued To should be the users name followed by the dodID number
        • Under Issued by you should typically see one or two Email certificates, and one NON-Email certificate.
        • The NON-Email [ALL] Certificate is the one used by PIEE
        • If Invalid certificates are listed:
        • Select the NON-Email Certificate
        • Click View
          • Under the General Tab
            • Check the Valid from dates to ensure the certificate is not expired
          • Under the Certification Path
            • Check the certification path is valid
              • The Certification Path typically three levels deep
              • The path should look like this:
                • DoD Root CA 3
                • DOD CA -XX [where XX = the CA issuing number]
                • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
          • If the Certification Path is invalid:
          • If the certification path is correct
          • Verify the certificate is valid X509 Certificate for Digital Signing and Non-Repudiation. Non-repudiation is only required for signing documents in the PIEE.
            • Click the Details tab and scroll to Key Usage
              • Verify that both Digital Signature and Non-Repudiation are displayed
              • If the certificate is missing Non-Repudiation the certificate will need to be re-issued.
          • Click OK on the Certificate dialog.
    • Click Close on the Certificates dialog
  • Click OK on the Internet Options dialog

Return to the TOP of Certificate Troubleshooting


2.11 Correct Certification Path

Correcting the certification path can resolve errors with certificates not being found, readable, or verifiable.

This may require local administrative rights

  • From an open Internet Explorer widow click Tools and select Internet Options or from the Control Panel click on Internet Options
  • Click the Content Tab
    • Click Certificates
    • Under the Personal Tab
    • Select the NON-Email Certificate
    • Click View
      • Under the Certification Path
        • Check the certification path is valid
          • The Certification Path typically three levels deep
          • The path should look like this:
            • DoD Root CA 3
              • DOD CA -XX [where XX = the CA issuing number]
                • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
        • If the Certification Path is invalid:
          • Make note of each certificate listed above DoD Root CA-3
            • E.G. DoD Interoperability
          • Click OK on the Certificate window
      • On the Certificates window
        • Click on the Intermediate Certification Authorities Tab
          • Remove all the certificates that were listed above DoD Root CA-3
            • E.G. DoD Interoperability
        • Click on the Trusted Root Certification Authorities Tab
          • Remove all the certificates that were listed above DoD Root CA-3
            • E.G. DoD Interoperability
        • Click Close on the Certificates dialog
        • Click OK on Internet Options

Return to the TOP of Certificate Troubleshooting


Common Access Card Resources

The links below provide Common Access Card information:


Return to the TOP of the page.