Stay Informed

The Modernized CAC

In December 2018, USD P&R and DoD CIO issued a joint memorandum on
“Modernizing the Common Access Card – Streamlining Identity and Improving
Operational Interoperability.” The memo directed changes to modernize the CAC by
decreasing the number of user certificates and more clearly aligning certificates to
specific purposes. DMDC began issuing modernized CACs at select RAPIDS sites in
August 2020.

The Modernized CAC
How is the CAC changing?
The modernized CAC is designed to have a single user certificate for each major
PKI function:

  • PIV-Auth for authentication
  • Signature (a.k.a. Email Signing) for email and document signing
  • Encryption for encryption

The modernized CAC does not contain an Identity (a.k.a. ID) certificate, and the
Signature certificate can no longer be used for authentication. There is also a new
Card Authentication certificate intended to support physical access control use
cases by cryptographically authenticating the card to Physical Access Control
Systems (PACS).

How can I tell if my new CAC is modernized?

A modernized CAC can be identified by looking for the changes described above.
For example, when viewing a CAC in ActivClient:

  • A modernized CAC will contain a Card Authentication certificate that is not associated with the card holder’s name, and will not contain an ID certificate
  • A legacy CAC will not display a Card Authentication certificate, and in ActivClient GSC-IS mode (which is a commonly used DoD ActivClient configuration) will display the legacy ID certificate

*In GSC-IS mode, the Card Authentication certificate may be labeled “Encryption”. It can be identified by the absence of the user’s name (“- LAST.FIRST.MI.##########”) at the end of the certificate’s display name.

Alternately, the Signature certificate can be inspected to determine whether a CAC is legacy or modernized:

  • A modernized CAC’s signature certificate will not list any authentication-related purposes such as “Smart Card Logon” and will list
  • A legacy CAC’s signature certificate will list authentication-related purposes including “Smart Card Logon” and will not list Document Signing

How Will My User Experience Be Different?

Use of the PIV-Auth certificate for authentication

As systems across DoD have been updating to support modernized CACs, many users have already transitioned to using their PIV-Auth certificate on their legacy CACs for network logon and authentication to web sites and other resources. Users who have not already begun using the PIV-Auth certificate for authentication will have to do so once they are issued modernized CACs, since that will be the only authentication certificate available on the card.
On modernized CACs, the PIV-Auth certificate is the only user certificate issued by a DoD ID CA. During network logon, users can recognize it by the presence of 16 digits before the @mil, versus the 10 digits that existed in the legacy CAC’s Signature certificate.

For more information on differentiating the PIV-Auth certificate from other certificates on a legacy CAC, see https://intelshare.intelink.gov/sites/disa-pki-pke/SitePages/Identifying_the_PIV-Auth_Certificate.aspx.

A single certificate in the certificate prompt OR no certificate prompt at all

Because the modernized CAC has been designed with a single certificate for each major PKI function (rather than multiple certificates able to perform the same function), a user will typically only see one valid certificate displayed for selection in the certificate prompt to perform a function such as logging on to a system or signing a document. For example, rather than seeing three possible certificates – ID, Signature and PIV-Auth – from which to select when authenticating to a web site, a user would only see the PIV-Auth certificate.

In some instances, browsers and other systems may be configured to automatically select and present a certificate on the user’s behalf when only one valid certificate is found. Since the modernized CAC is designed to have only one certificate usable for each purpose, this would typically be the case for a modernized CAC holder. If a browser or system is configured to automatically select the certificate, no certificate prompt will be displayed. The user may be prompted to enter their PIN or may be automatically logged in without even a PIN prompt if their card reader middleware already has their PIN cached.

For additional information on CAC modernization, visit https://intelshare.intelink.gov/sites/disa-pki-pke/SitePages/CAC_Modernization.aspx.

 

Mail this page!

Was this helpful?

Leave A Comment