Skip to content

Install External Certification Authority Tokens

This guide walks you through obtaining a DoD-approved External Certification Authority (ECA) hardware token from IdenTrust and configuring it for use with Platform One (P1) to access Impact Level 4 (IL4) and Impact Level 5 (IL5) resources.

Tested setup

  • MacBook Pro (M2)
  • IOGEAR GSR203 card reader

Step 1 — Acquire an ECA hardware token

Warning

  • You must obtain and install the ECA token before you can use the card to access IL4 and IL5 environments.
  • You must complete the token acquisition process within 30 days of purchase, or you will need to start over. 

Submit ECA request through IdenTrust

  1. Visit IdenTrust ECA Certificates for DoD Access.
  2. Click BUY NOW and follow these steps:
    1. Select My Federal Program is not Listed
    2. Confirm that you live in the U.S.
    3. Select the certificate as ECA Medium Token Assurance | Hardware Storage.
    4. Select 1 year validity period.
    5. Select HID Smart Card (with or without a card reader, as needed).
  3. Complete the checkout process.
  4. Download and print the Certificate Forms Packet when provided.

Complete Authorization forms 

  1. Open the Certificate Forms Packet and fill out Page 2 with applicant and organization officer information.  
  2. Have your Organization Officer inked sign and date the form.
  3. Complete Page 4 in front of a licensed notary, presenting two valid IDs based on the following requirements:
    • U.S. Citizens: Provide one ID from List A + one from List B or C,
      OR provide one from List B + one from List C.
    • Non-U.S. Citizens: Provide a valid passport + one ID from List B.
    • If you declared multiple citizenship in your certificate request, you must present a valid passport for each.

    Tip: Confirm with your notary ahead of time which forms of ID they will accept, as this may vary by jurisdiction.

    Accepted Forms of Identification

    List A — Photo ID establishing identity and citizenship List B — Photo ID establishing identity List C — Document establishing U.S. citizenship
    - Passport from country of citizenship - Military ID with photo - Consular Report of Birth from a U.S. Consulate (Form FS-240)
    - Certificate of U.S. Citizenship issued by USCIS (formerly INS) - Driver’s license or government-issued ID card with photo - Certificate of Birth Abroad issued by the U.S. Department of State (Form DS-1350)
    - Certificate of Naturalization issued by a court of competent jurisdiction (pre- or post-1991) - Permanent or Unexpired Temporary Resident Card issued by USCIS with photo - Original or certified copy of birth certificate issued by a county, state, or government authority bearing an official seal

  4. Mail the completed forms with tracking to IdenTrust HQ. IdenTrust will call your Organization Officer to verify submission. Ensure they are available.

Receive and activate your ECA token

After approval (typically 3–5 business days), you will receive an installation email. Do not proceed until you have your token and card reader in hand.

Step 2 — Provision your ECA card

Install OpenSC

  1. Download the latest version from OpenSC Releases.  
  2. Install using the .dmg installer. If you are familiar with Homebrew, you may use it — but note that all library paths will differ from those used in this guide.  

Reboot and initialize card reader 

  1. Reboot your computer with the card reader disconnected
  2. After logging back in, insert your ECA card. You should see a prompt to pair the card with your account — this confirms the card is working. 

(Optional) Test OpenSC with your card

Open Terminal and run: 

/Library/OpenSC/bin/pkcs11-tool --login --test
If successful, the output will resemble the following example and will end with No errors. 
$ /Library/OpenSC/bin/pkcs11-tool --login --test

Using slot 0 with a present token (0x0)
Logging in to "Johnny Example:A0000B0000000...".
Please enter User PIN: ******

C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (CAC Cert 5)  -- can't be used for signature, skipping
  testing key 1 (CAC Cert 14)
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
  testing key 1 (CAC Cert 14) with 1 mechanism
    RSA-X-509: OK
Verify (currently only for RSA)
  testing key 0 (CAC Cert 5) -- can't be used to sign/verify, skipping
  testing key 1 (CAC Cert 14) with 1 mechanism
    RSA-X-509: OK
Decryption (currently only for RSA)
  testing key 0 (CAC Cert 5)
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 1 (CAC Cert 14) -- can't be used to decrypt, skipping
No errors

Retrieve and install IdenTrust certificates

  1. Open the email from Registration@identrust.com.
  2. Follow the link to www.identrust.com/install. Enter your activation code and password you created during the checkout process in Submit ECA request through IdenTrust.
  3. Download and run the retrieval application as instructed.

Step 3 — Install required certificates

Install DoD Certificates

Follow the guide on MilitaryCAC.com. to download and install the DoD certificates for your Mac. Ensure the certificates are installed in both the macOS keychain and Firefox (step 5a).

Install IdenTrust ECA Root Certificates

Download the IdenTrust ECA Root Certificates from this link. Install them using the same method as the DoD certificates.

Step 4 — Configure applications for smart card use

For applications supporting PKCS11 libraries, use:

/Library/OpenSC/lib/onepin-opensc-pkcs11.so
If you are familiar with Homebrew, you may use it — but note that all library paths will differ from those used in this guide.