CAC / PIV Card Support

This support page is for CAC / PIV Card users experiencing login / authentication issues.

For questions or issues regarding CACs / PIV Cards, follow the Certificate Troubleshooting instructions for the best support.

Contact our Help Desk for all other issues.

PIEE Supported Digital Certificate Types

PIEE two-factor login requirements. DoD users must use the Authentication Certificate if present on the CAC. Key usage of 'Digital Signature' and Enhanced Key Usage of 'Client Authentication' must be present on the Authentication Certificate. If the Authentication Certificate is not present on the CAC, then the ID certificate must be used. Key usage of 'Digital Signature' must be present on the ID Certificate.


PIEE digital signature requirements. DoD users must use a certificate on the CAC with key usage of 'Digital Signature' and 'Non-Repudiation'. The certificate common name must match the certificate common name used for login.


Certificate Type Intended Purpose PIEE Support
DoD PKI ID Key
  • Digital Signature for entity authentication and data origin authentication with integrity
  • Logon
  • Registration
  • Token Authentication
  • Screened to preclude certificates not asserting hardware policy2
  • DoD PKI Authentication Key must be used if present.
  • DoD PKI ID Key is being deprecated per DoD Memorandum "Modernizing the Common Access Card - Streamlining Identity and Improving Operational Interoperability"
DoD PKI Authentication Key
  • Logical Access to Web Sites (Client Authentication)
  • Logical Access (Smartcard Login) to local networks
  • Digital Signature for entity authentication and data origin authentication with integrity
  • Logon
  • Registration
  • Token Authentication
  • Screened to preclude certificates not asserting hardware policy2
DoD PKI Signature Key
  • Digital Signature for entity authentication and data origin authentication with integrity
  • Non-Repudiation to protect against the signing entity falsely denying some action, excluding certificate or CRL signing.
  • Document Signing
DoD PKI Encryption Key
  • Key Encipherment (Email encryption)
  • Not Supported
  • Screened to preclude use of certificates issues by eMail CA's
DoD PKI PIV Authentication Certificate
  • Logical Access to Web Sites (Client Authentication)
  • Logical access (Smartcard Login) to non-DoD Federal Systems
  • Not Supported
  • Screened to preclude use of certificates not intended for non-repudiation purposes
  • User must use the CAC issued for the PIEE authorized role and organization affiliation1
DoD PKI ECA Identity Certificate
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD-managed ECA PKIs
  • Screened to preclude certificates not asserting hardware policy2
Category I: U.S. Federal Agency PKI PIV
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD approved external PKIs
  • Screened to preclude certificates not asserting hardware policy2
Category II: U.S. Federal Agency PKI PIV
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD approved external PKIs
  • Screened to preclude certificates not asserting hardware policy2

1 An example of a dual persona person is one who has a CAC issued as a contractor and a CAC issued as a member of the Army Reserves. This individual has two CACs, but until the PIV Auth Cert is activated on their CAC cards, they only have one digital identity. The PIV Auth Cert has a field that is unique for each persona. This is a 16 digit numeric field that starts with a 10 digit Electronic Data Interchange Person Identifier (EDIPI) and adds to it a 6 digit Federal Agency Smart Credential Number Role specific attribute.

2 Given the sensitivity of information processed by PIEE, DoD Instruction 8520.03 required Credential Strength is “D”. This Credential Strength is equivalent to the OMB / NIST defined Identity Assurance Level 4.

Certificate Troubleshooting

Descriptions and solutions for common certificate issues.

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:

Unauthorized 403 Error

Note: For Registration, Login, and Token Authentication, only the X509 Authentication Certificates from your Personal Certificate Store that have Key Usage of Digital Signature and Enhanced Key Usage of Client Authentication should be used if present. If the Authentication Certificate is not present on the CAC, then the ID certificate must be used. Key usage of 'Digital Signature' must be present on the ID Certificate.

Possible Causes:

  • User has no valid X509 certificates installed.
  • User clicked the cancel button when prompted to select a certificate.
  • Inoperable ActivClient
  • Wrong ActivClient version
  • User Certificates are not available to Windows through Active Client

Possible Solutions:

  • Close all browser windows before attempting to login / authenticate again.
  • Republish Certificate(s)

    Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

    Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
      • Remove all listed certificates [NOTE: Email certificates can be left]
      • Once all certificate are removed click close and OK on Internet Options
    • Open ActivClient User Console
      • Start > All Programs > ActivIdentity > ActivClient
        • Select User Console
        • Click Tools
        • Select Advanced
          • Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
            • After confirmation, return to the Tools > Advanced menu
          • Click "Make Certificates Available to Windows"
        • The CAC certificates should now be republished and available to use.

    NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)

  • Refer to local system administrator to uninstall and reinstall ActivClient
  • Remove expired, or conflicting Certificates

If the certificate selection window is entirely blank, E.G. there are no error messages present: Clear Browser Cache

Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.

  • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
  • On the General Tab
    • Under Browsing History click Delete
    • Uncheck "Preserve Favorites Website Data" [if available]
    • Check "Temporary Internet Files" [if unchecked]
    • Check "Cookies" [if unchecked]
    • Click Delete

When a user accesses PIEE they may receive a prompt that the security certificate presented is invalid, untrusted, not yet valid, or expired.

The exact message will depend on the browser used


Possible Causes:

  • Has not installed the DoD certificate authorities
  • The PC date and time is incorrect

Possible Solutions:

  • Complete the Machine Setup under New User
  • Correct the system date and time

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:


Possible Causes:

  • The certificate is unreadable or valicert is unavailable
  • The certificate used is invalid
  • The certification path on the certificate contains invalid entries
  • The certificate used is not on the trusted issuer list

Possible Solutions:

  • Check Certificates in Internet Options
    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
        • Identify the listed certificates
          • Typical CAC users will have three listed certificates
          • Under Issued To should be the users name followed by the dodID number
          • Under Issued by you should typically see one or two Email certificates, and one NON-Email certificate.
          • The NON-Email [ALL] Certificate is the one used by PIEE
          • If Invalid certificates are listed in the Republish Certificate(s)
          • Select the NON-Email Certificate
          • Click View
            • Under the General Tab
              • Check the Valid from dates to ensure the certificate is not expired
            • Under the Certification Path
              • Check the certification path is valid
                • The Certification Path is typically three levels deep
                • The path should look like this:
                  • DoD Root CA 3
                  • DOD CA -XX [where XX = the CA issuing number]
                  • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
            • If the Certification Path is invalid:
            • If the certification path is correct
            • Verify the certificate is a valid X509 Certificate for Digital Signing and Non-Repudiation. Non-repudiation is only required for signing documents in the PIEE.
              • Click the Details tab and scroll to Key Usage
                • Verify that both Digital Signature and Non-Repudiation are displayed
                • If the certificate is missing Non-Repudiation the certificate will need to be re-issued.
            • Click OK on the Certificate dialog.
      • Click Close on the Certificates dialog
    • Click OK on the Internet Options dialog
  • Correct Certification Path

    Correcting the certification path can resolve errors with certificates not being found, readable, or verifiable.

    This may require local administrative rights

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Click Certificates
      • Under the Personal Tab, select the NON-Email Certificate
      • Click View
        • Under the Certification Path
          • Check the certification path is valid
            • The Certification Path typically three levels deep
            • The path should look like this:
              • DoD Root CA 3
              • DOD CA -XX [where XX = the CA issuing number]
              • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
          • If the Certification Path is invalid:
            • Make note of each certificate listed above DoD Root CA-3
              • E.G. DoD Interoperability
            • Click OK on the Certificate window
        • On the Certificates window
          • Click on the Intermediate Certification Authorities Tab
            • Remove all the certificates that were listed above DoD Root CA-3
              • E.G. DoD Interoperability
          • Click on the Trusted Root Certification Authorities Tab
            • Remove all the certificates that were listed above DoD Root CA-3
              • E.G. DoD Interoperability
          • Click Close on the Certificates dialog
          • Click OK on Internet Options
  • Republish Certificate(s)

    Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

    Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
      • Remove all listed certificates [NOTE: Email certificates can be left]
      • Once all certificate are removed click close and OK on Internet Options
    • Open ActivClient User Console
      • Start > All Programs > ActivIdentity > ActivClient
        • Select User Console
        • Click Tools
        • Select Advanced
          • Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
            • After confirmation, return to the Tools > Advanced menu
          • Click "Make Certificates Available to Windows"
        • The CAC certificates should now be republished and available to use.

    NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:


Possible Causes:

  • Closing your browser window without logging out of PIEE
  • PIEE open on another tab.
  • Browser unexpectedly crashed and auto-recovered.

Possible Solutions:

  • Clear Browser Cache

    Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • On the General Tab
      • Under Browsing History click Delete
      • Uncheck "Preserve Favorites Website Data" [if available]
      • Check "Temporary Internet Files" [if unchecked]
      • Check "Cookies" [if unchecked]
      • Click Delete
  • Adjust IE Settings

    Adjusting the Internet Explorer Browser settings can solve many common problems. Not all of the following settings will be available to all users depending on local security policy.

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • On the General Tab
      • Clear the Browser Cache
        • Under Browsing History click Delete
        • Uncheck "Preserve Favorites Website Data" [if available]
        • Check "Temporary Internet Files" [if unchecked]
        • Check "Cookies" [if unchecked]
        • Click Delete
      • Click Settings under Browsing History
        • Under Check for newer versions of stored pages
        • Select "Every time I visit the webpage"
        • Click OK
      • Click Settings under Tabs
        • Under When a Pop-up is encountered
        • Select "Let Internet Explorer decide …"
        • Click OK
    • Click Security Tab
      • Select Trusted Sites
      • Click Sites
      • If unlisted Add:
        • https://*.eb.mil
        • https://*.disa.mil
      • Click Close
      • Security level for Trusted sites should be Medium or lower
      • If checked, uncheck Enable Protected Mode
    • Click Privacy Tab
      • If Pop-up Blocker is enabled [if disabled/unchecked continue to Content]
      • Click Settings
      • Add the following sites if they are not listed
        • https://*.eb.mil
        • https://*.disa.mil
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
    • Click on the Advanced Tab
      • Under Browsing
        • Check [if unchecked] "Show Friendly HTTP error messages"
      • Under Security
        • Uncheck "Use SSL2.0"
        • Check "Use SSL 3.0"
        • Check "Use TLS 1.0"
        • Uncheck "Use TLS 1.1"
        • Uncheck "Use TLS 1.2"
    • Additional Steps:
      • [If the user is a CAC user: Check Certificates in Internet Options ]
      • Check IE Compatibility View
    • If problems persist
      • From the Advanced tab under Reset Internet Explorer settings
        • Click Reset
        • NOTE: This will reset any custom settings the user may require. This should only be done if the end user understands this and the browser is otherwise unusable.

When attempting to login or register with a CAC users may receive errors related to the OCSP.

Most OCSP errors during CAC login are caused by network outages, OCSP server misconfiguration or downtime, and/or Certificate Revocation Lists are not updated.

The Certificate Revocation Lists (CRL) are cached for the PIEE server certificate and applet code signing certificate as this is handled on the Operating System / Browser level.

Verification

  • Has the certificate login ever worked with this certificate?
  • Are other users receiving the same error?
  • Is OCSP available?

Possible Solutions:

If CAC login has worked in the past and there are no known or reported issues connecting to the OCSP

  • Clear Browser Cache

    Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • On the General Tab
      • Under Browsing History click Delete
      • Uncheck "Preserve Favorites Website Data" [if available]
      • Check "Temporary Internet Files" [if unchecked]
      • Check "Cookies" [if unchecked]
      • Click Delete
  • To delete OCSP and/or CRL cache from your Windows system:
    • Go to Start Menu > Run
    • Type cmd and press Enter
    • In the command promp, type the following command and press Enter to execute:
    • certutil -urlcache * delete
    • Reboot your computer
  • Obtain a copy of the certificate and contact the service desk

If CAC login has NEVER worked

  • Obtain a copy of the certificate and contact the service desk

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:


Possible Solutions:

  • Clear Browser Cache

    Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • On the General Tab
      • Under Browsing History click Delete
      • Uncheck "Preserve Favorites Website Data" [if available]
      • Check "Temporary Internet Files" [if unchecked]
      • Check "Cookies" [if unchecked]
      • Click Delete
  • Check Certificates in Internet Options
    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
        • Identify the listed certificates
          • Typical CAC users will have three listed certificates
          • Under Issued To should be the users name followed by the dodID number
          • Under Issued by you should typically see one or two Email certificates, and one NON-Email certificate.
          • The NON-Email [ALL] Certificate is the one used by PIEE
          • If Invalid certificates are listed in the Republish Certificate(s)
          • Select the NON-Email Certificate
          • Click View
            • Under the General Tab
              • Check the Valid from dates to ensure the certificate is not expired
            • Under the Certification Path
              • Check the certification path is valid
                • The Certification Path is typically three levels deep
                • The path should look like this:
                  • DoD Root CA 3
                  • DOD CA -XX [where XX = the CA issuing number]
                  • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
            • If the Certification Path is invalid:
            • If the certification path is correct
            • Verify the certificate is a valid X509 Certificate for Digital Signing and Non-Repudiation. Non-repudiation is only required for signing documents in the PIEE.
              • Click the Details tab and scroll to Key Usage
                • Verify that both Digital Signature and Non-Repudiation are displayed
                • If the certificate is missing Non-Repudiation the certificate will need to be re-issued.
            • Click OK on the Certificate dialog.
      • Click Close on the Certificates dialog
    • Click OK on the Internet Options dialog
  • Correct Certification Path

    Correcting the certification path can resolve errors with certificates not being found, readable, or verifiable.

    This may require local administrative rights

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Click Certificates
      • Under the Personal Tab, select the NON-Email Certificate
      • Click View
        • Under the Certification Path
          • Check the certification path is valid
            • The Certification Path typically three levels deep
            • The path should look like this:
              • DoD Root CA 3
              • DOD CA -XX [where XX = the CA issuing number]
              • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
          • If the Certification Path is invalid:
            • Make note of each certificate listed above DoD Root CA-3
              • E.G. DoD Interoperability
            • Click OK on the Certificate window
        • On the Certificates window
          • Click on the Intermediate Certification Authorities Tab
            • Remove all the certificates that were listed above DoD Root CA-3
              • E.G. DoD Interoperability
          • Click on the Trusted Root Certification Authorities Tab
            • Remove all the certificates that were listed above DoD Root CA-3
              • E.G. DoD Interoperability
          • Click Close on the Certificates dialog
          • Click OK on Internet Options
  • Republish Certificate(s)

    Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

    Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
      • Remove all listed certificates [NOTE: Email certificates can be left]
      • Once all certificate are removed click close and OK on Internet Options
    • Open ActivClient User Console
      • Start > All Programs > ActivIdentity > ActivClient
        • Select User Console
        • Click Tools
        • Select Advanced
          • Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
            • After confirmation, return to the Tools > Advanced menu
          • Click "Make Certificates Available to Windows"
        • The CAC certificates should now be republished and available to use.

    NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)

  • To delete OCSP and/or CRL cache from your Windows system:
    • Go to Start Menu > Run
    • Type cmd and press Enter
    • In the command promp, type the following command and press Enter to execute:
    • certutil -urlcache * delete
    • Reboot your computer

Help Desk

If your issue is not resolved by following the steps in the solutions above, send a message to our Help Desk.

Send a Secure Message

866-618-5988

Email: disa.global.servicedesk.mbx.eb-ticket-requests@mail.mil
Fax: 801-605-7453

Help Desk Hours
Monday - Friday, 06:30 – 24:00 EST