CAC / PIV Card Support

This support page is for CAC / PIV Card users experiencing login / authentication issues.

For questions or issues regarding CACs / PIV Cards, follow the Certificate Troubleshooting instructions for the best support.

Contact our Help Desk for all other issues.

PIEE Supported Digital Certificate Types

PIEE two-factor login requirements. DoD users must use the Authentication Certificate if present on the CAC. Key usage of 'Digital Signature' and Enhanced Key Usage of 'Client Authentication' must be present on the Authentication Certificate. If the Authentication Certificate is not present on the CAC, then the ID certificate must be used. Key usage of 'Digital Signature' must be present on the ID Certificate.

PIEE digital signature requirements. DoD users must use a certificate on the CAC with key usage of 'Digital Signature' and 'Non-Repudiation'. The certificate common name must match the certificate common name used for login.

Certificate Type	Intended Purpose	PIEE Support
DoD PKI ID Key	Digital Signature for entity authentication and data origin authentication with integrity	Logon Registration Token Authentication Screened to preclude certificates not asserting hardware policy² DoD PKI Authentication Key must be used if present. DoD PKI ID Key is being deprecated per DoD Memorandum "Modernizing the Common Access Card - Streamlining Identity and Improving Operational Interoperability"
DoD PKI Authentication Key	Logical Access to Web Sites (Client Authentication) Logical Access (Smartcard Login) to local networks Digital Signature for entity authentication and data origin authentication with integrity	Logon Registration Token Authentication Screened to preclude certificates not asserting hardware policy²
DoD PKI Signature Key	Digital Signature for entity authentication and data origin authentication with integrity Non-Repudiation to protect against the signing entity falsely denying some action, excluding certificate or CRL signing.	Document Signing
DoD PKI Encryption Key	Key Encipherment (Email encryption)	Not Supported Screened to preclude use of certificates issues by eMail CA's
DoD PKI PIV Authentication Certificate	Logical Access to Web Sites (Client Authentication) Logical access (Smartcard Login) to non-DoD Federal Systems	Not Supported Screened to preclude use of certificates not intended for non-repudiation purposes User must use the CAC issued for the PIEE authorized role and organization affiliation¹
DoD PKI ECA Identity Certificate	Logical Access to Web Sites (Authentication) Digital Signature for Non-repudiation	Limited to DoD-managed ECA PKIs Screened to preclude certificates not asserting hardware policy²
Category I: U.S. Federal Agency PKI PIV	Logical Access to Web Sites (Authentication) Digital Signature for Non-repudiation	Limited to DoD approved external PKIs Screened to preclude certificates not asserting hardware policy²
Category II: U.S. Federal Agency PKI PIV	Logical Access to Web Sites (Authentication) Digital Signature for Non-repudiation	Limited to DoD approved external PKIs Screened to preclude certificates not asserting hardware policy²

^{1 An example of a dual persona person is one who has a CAC issued as a contractor and a CAC issued as a member of the Army Reserves. This individual
has two CACs, but until the PIV Auth Cert is activated on their CAC cards, they only have one digital
identity. The PIV Auth Cert has a field that is unique for each persona. This is a 16 digit numeric field that starts with a 10 digit Electronic Data Interchange Person Identifier (EDIPI)
and adds to it a 6 digit Federal Agency Smart Credential Number Role specific attribute.}

^{2 Given the sensitivity of information processed by PIEE, DoD Instruction 8520.03 required Credential Strength is “D”. This Credential Strength is
equivalent to the OMB / NIST defined Identity Assurance Level 4.}

Certificate Troubleshooting

Descriptions and solutions for common certificate issues.

Unauthorized 403

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:

Note: For Registration, Login, and Token Authentication, only the X509 Authentication Certificates from your Personal Certificate Store that have Key Usage of Digital Signature and Enhanced Key Usage of Client Authentication should be used if present. If the Authentication Certificate is not present on the CAC, then the ID certificate must be used. Key usage of 'Digital Signature' must be present on the ID Certificate.

Possible Causes:

User has no valid X509 certificates installed.
User clicked the cancel button when prompted to select a certificate.
Inoperable ActivClient
Wrong ActivClient version
User Certificates are not available to Windows through Active Client

Possible Solutions:

Close all browser windows before attempting to login / authenticate again.
Republish Certificate(s)
Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- Click the Content Tab
  - Under Certificates
    - Click Clear SSL State
    - Click OK on the confirmation that the cache was cleared
  - Click Certificates
  - Under the Personal Tab
  - Remove all listed certificates [NOTE: Email certificates can be left]
  - Once all certificate are removed click close and OK on Internet Options
- Open ActivClient User Console
  - Start > All Programs > ActivIdentity > ActivClient
    - Select User Console
    - Click Tools
    - Select Advanced
      
      Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
      
      After confirmation, return to the Tools > Advanced menu
      
      Click "Make Certificates Available to Windows"
    - The CAC certificates should now be republished and available to use.
NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)
Refer to local system administrator to uninstall and reinstall ActivClient
Remove expired, or conflicting Certificates

If the certificate selection window is entirely blank, E.G. there are no error messages present: Clear Browser Cache

Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.

From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
On the General Tab
- Under Browsing History click Delete
- Uncheck "Preserve Favorites Website Data" [if available]
- Check "Temporary Internet Files" [if unchecked]
- Check "Cookies" [if unchecked]
- Click Delete

Site security certificate error

When a user accesses PIEE they may receive a prompt that the security certificate presented is invalid, untrusted, not yet valid, or expired.

The exact message will depend on the browser used

Possible Causes:

Has not installed the DoD certificate authorities
The PC date and time is incorrect

Possible Solutions:

Complete the Machine Setup under New User
Correct the system date and time

Certificate trust validation failed

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:

x Error: The certificate validation trust failed ...

Possible Causes:

The certificate is unreadable or valicert is unavailable
The certificate used is invalid
The certification path on the certificate contains invalid entries
The certificate used is not on the trusted issuer list

Possible Solutions:

Check Certificates in Internet Options
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- Click the Content Tab
  - Under Certificates
    - Click Clear SSL State
    - Click OK on the confirmation that the cache was cleared
  - Click Certificates
  - Under the Personal Tab
    - Identify the listed certificates
      
      Typical CAC users will have three listed certificates
      
      Under Issued To should be the users name followed by the dodID number
      
      Under Issued by you should typically see one or two Email certificates, and one NON-Email certificate.
      
      The NON-Email [ALL] Certificate is the one used by PIEE
      
      If Invalid certificates are listed in the Republish Certificate(s)
      
      Select the NON-Email Certificate
      
      Click View
      
      Under the General Tab
      
      Check the Valid from dates to ensure the certificate is not expired
      
      Under the Certification Path
      
      Check the certification path is valid
      
      The Certification Path is typically three levels deep
      
      The path should look like this:
      
      DoD Root CA 3
      
      DOD CA -XX [where XX = the CA issuing number]
      
      Lastname.first.I.xxxxxxxxxxxxxxxxx ....
      
      If the Certification Path is invalid:
      
      Correct Certification Path
      
      If the certification path is correct
      
      Verify the certificate is a valid X509 Certificate for Digital Signing and Non-Repudiation. Non-repudiation is only required for signing documents in the PIEE.
      
      Click the Details tab and scroll to Key Usage
      
      Verify that both Digital Signature and Non-Repudiation are displayed
      
      If the certificate is missing Non-Repudiation the certificate will need to be re-issued.
      
      Click OK on the Certificate dialog.
  - Click Close on the Certificates dialog
- Click OK on the Internet Options dialog
Correct Certification Path
Correcting the certification path can resolve errors with certificates not being found, readable, or verifiable.

This may require local administrative rights
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- Click the Content Tab
  - Click Certificates
  - Under the Personal Tab, select the NON-Email Certificate
  - Click View
    - Under the Certification Path
      
      Check the certification path is valid
      
      The Certification Path typically three levels deep
      
      The path should look like this:
      
      DoD Root CA 3
      
      DOD CA -XX [where XX = the CA issuing number]
      
      Lastname.first.I.xxxxxxxxxxxxxxxxx ....
      
      If the Certification Path is invalid:
      
      Make note of each certificate listed above DoD Root CA-3
      
      E.G. DoD Interoperability
      
      Click OK on the Certificate window
    - On the Certificates window
      
      Click on the Intermediate Certification Authorities Tab
      
      Remove all the certificates that were listed above DoD Root CA-3
      
      E.G. DoD Interoperability
      
      Click on the Trusted Root Certification Authorities Tab
      
      Remove all the certificates that were listed above DoD Root CA-3
      
      E.G. DoD Interoperability
      
      Click Close on the Certificates dialog
      
      Click OK on Internet Options
Republish Certificate(s)
Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- Click the Content Tab
  - Under Certificates
    - Click Clear SSL State
    - Click OK on the confirmation that the cache was cleared
  - Click Certificates
  - Under the Personal Tab
  - Remove all listed certificates [NOTE: Email certificates can be left]
  - Once all certificate are removed click close and OK on Internet Options
- Open ActivClient User Console
  - Start > All Programs > ActivIdentity > ActivClient
    - Select User Console
    - Click Tools
    - Select Advanced
      
      Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
      
      After confirmation, return to the Tools > Advanced menu
      
      Click "Make Certificates Available to Windows"
    - The CAC certificates should now be republished and available to use.
NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)

Session ID Assigned Twice

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:

x Error: A situation has occurred where your 'Session ID' has been assigned twice. In order to continue to use the application it is required for you to CLOSE YOUR BROWSER. Once you have closed and reopened your browser, you will be able to continue with the Procurement Integrated Enterprise Environment. If you are using the IE 7 browser or a greater version of IE browser then close the whole browser, do not attempt to login on multiple tabs.

Possible Causes:

Closing your browser window without logging out of PIEE
PIEE open on another tab.
Browser unexpectedly crashed and auto-recovered.

Possible Solutions:

Clear Browser Cache
Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- On the General Tab
  - Under Browsing History click Delete
  - Uncheck "Preserve Favorites Website Data" [if available]
  - Check "Temporary Internet Files" [if unchecked]
  - Check "Cookies" [if unchecked]
  - Click Delete
Adjust IE Settings
Adjusting the Internet Explorer Browser settings can solve many common problems. Not all of the following settings will be available to all users depending on local security policy.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- On the General Tab
  - Clear the Browser Cache
    - Under Browsing History click Delete
    - Uncheck "Preserve Favorites Website Data" [if available]
    - Check "Temporary Internet Files" [if unchecked]
    - Check "Cookies" [if unchecked]
    - Click Delete
  - Click Settings under Browsing History
    - Under Check for newer versions of stored pages
    - Select "Every time I visit the webpage"
    - Click OK
  - Click Settings under Tabs
    - Under When a Pop-up is encountered
    - Select "Let Internet Explorer decide …"
    - Click OK
- Click Security Tab
  - Select Trusted Sites
  - Click Sites
  - If unlisted Add:
    - https://*.eb.mil
    - https://*.disa.mil
  - Click Close
  - Security level for Trusted sites should be Medium or lower
  - If checked, uncheck Enable Protected Mode
- Click Privacy Tab
  - If Pop-up Blocker is enabled [if disabled/unchecked continue to Content]
  - Click Settings
  - Add the following sites if they are not listed
    - https://*.eb.mil
    - https://*.disa.mil
- Click the Content Tab
  - Under Certificates
    - Click Clear SSL State
    - Click OK on the confirmation that the cache was cleared
- Click on the Advanced Tab
  - Under Browsing
    - Check [if unchecked] "Show Friendly HTTP error messages"
  - Under Security
    - Uncheck "Use SSL2.0"
    - Check "Use SSL 3.0"
    - Check "Use TLS 1.0"
    - Uncheck "Use TLS 1.1"
    - Uncheck "Use TLS 1.2"
- Additional Steps:
  - [If the user is a CAC user: Check Certificates in Internet Options ]
  - Check IE Compatibility View
- If problems persist
  - From the Advanced tab under Reset Internet Explorer settings
    - Click Reset
    - NOTE: This will reset any custom settings the user may require. This should only be done if the end user understands this and the browser is otherwise unusable.

Online Certificate Status Protocol (OCSP) Errors

When attempting to login or register with a CAC users may receive errors related to the OCSP.

Most OCSP errors during CAC login are caused by network outages, OCSP server misconfiguration or downtime, and/or Certificate Revocation Lists are not updated.

The Certificate Revocation Lists (CRL) are cached for the PIEE server certificate and applet code signing certificate as this is handled on the Operating System / Browser level.

Verification

Has the certificate login ever worked with this certificate?
Are other users receiving the same error?
Is OCSP available?

Possible Solutions:

If CAC login has worked in the past and there are no known or reported issues connecting to the OCSP

Clear Browser Cache
Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- On the General Tab
  - Under Browsing History click Delete
  - Uncheck "Preserve Favorites Website Data" [if available]
  - Check "Temporary Internet Files" [if unchecked]
  - Check "Cookies" [if unchecked]
  - Click Delete
To delete OCSP and/or CRL cache from your Windows system:
- Go to Start Menu > Run
- Type cmd and press Enter
- In the command promp, type the following command and press Enter to execute:
- certutil -urlcache * delete
- Reboot your computer
Obtain a copy of the certificate and contact the service desk

If CAC login has NEVER worked

Obtain a copy of the certificate and contact the service desk

Next update value not found in the CRL list

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:

x Error: Next update value not found in the CRL list

Possible Solutions:

Clear Browser Cache
Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- On the General Tab
  - Under Browsing History click Delete
  - Uncheck "Preserve Favorites Website Data" [if available]
  - Check "Temporary Internet Files" [if unchecked]
  - Check "Cookies" [if unchecked]
  - Click Delete
Check Certificates in Internet Options
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- Click the Content Tab
  - Under Certificates
    - Click Clear SSL State
    - Click OK on the confirmation that the cache was cleared
  - Click Certificates
  - Under the Personal Tab
    - Identify the listed certificates
      
      Typical CAC users will have three listed certificates
      
      Under Issued To should be the users name followed by the dodID number
      
      Under Issued by you should typically see one or two Email certificates, and one NON-Email certificate.
      
      The NON-Email [ALL] Certificate is the one used by PIEE
      
      If Invalid certificates are listed in the Republish Certificate(s)
      
      Select the NON-Email Certificate
      
      Click View
      
      Under the General Tab
      
      Check the Valid from dates to ensure the certificate is not expired
      
      Under the Certification Path
      
      Check the certification path is valid
      
      The Certification Path is typically three levels deep
      
      The path should look like this:
      
      DoD Root CA 3
      
      DOD CA -XX [where XX = the CA issuing number]
      
      Lastname.first.I.xxxxxxxxxxxxxxxxx ....
      
      If the Certification Path is invalid:
      
      Correct Certification Path
      
      If the certification path is correct
      
      Verify the certificate is a valid X509 Certificate for Digital Signing and Non-Repudiation. Non-repudiation is only required for signing documents in the PIEE.
      
      Click the Details tab and scroll to Key Usage
      
      Verify that both Digital Signature and Non-Repudiation are displayed
      
      If the certificate is missing Non-Repudiation the certificate will need to be re-issued.
      
      Click OK on the Certificate dialog.
  - Click Close on the Certificates dialog
- Click OK on the Internet Options dialog
Correct Certification Path
Correcting the certification path can resolve errors with certificates not being found, readable, or verifiable.

This may require local administrative rights
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- Click the Content Tab
  - Click Certificates
  - Under the Personal Tab, select the NON-Email Certificate
  - Click View
    - Under the Certification Path
      
      Check the certification path is valid
      
      The Certification Path typically three levels deep
      
      The path should look like this:
      
      DoD Root CA 3
      
      DOD CA -XX [where XX = the CA issuing number]
      
      Lastname.first.I.xxxxxxxxxxxxxxxxx ....
      
      If the Certification Path is invalid:
      
      Make note of each certificate listed above DoD Root CA-3
      
      E.G. DoD Interoperability
      
      Click OK on the Certificate window
    - On the Certificates window
      
      Click on the Intermediate Certification Authorities Tab
      
      Remove all the certificates that were listed above DoD Root CA-3
      
      E.G. DoD Interoperability
      
      Click on the Trusted Root Certification Authorities Tab
      
      Remove all the certificates that were listed above DoD Root CA-3
      
      E.G. DoD Interoperability
      
      Click Close on the Certificates dialog
      
      Click OK on Internet Options
Republish Certificate(s)
Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
- Click the Content Tab
  - Under Certificates
    - Click Clear SSL State
    - Click OK on the confirmation that the cache was cleared
  - Click Certificates
  - Under the Personal Tab
  - Remove all listed certificates [NOTE: Email certificates can be left]
  - Once all certificate are removed click close and OK on Internet Options
- Open ActivClient User Console
  - Start > All Programs > ActivIdentity > ActivClient
    - Select User Console
    - Click Tools
    - Select Advanced
      
      Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
      
      After confirmation, return to the Tools > Advanced menu
      
      Click "Make Certificates Available to Windows"
    - The CAC certificates should now be republished and available to use.
NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)
To delete OCSP and/or CRL cache from your Windows system:
- Go to Start Menu > Run
- Type cmd and press Enter
- In the command promp, type the following command and press Enter to execute:
- certutil -urlcache * delete
- Reboot your computer

Help Desk

If your issue is not resolved by following the steps in the solutions above, send a message to our Help Desk.

Send a Secure Message

866-618-5988

Email: disa.global.servicedesk.mbx.eb-ticket-requests@mail.mil
Fax: 801-605-7453

Help Desk Hours
Monday - Friday, 06:30 – 24:00 EST