ako army security
i've tried following AKO's advise, previously post on this site (http://militarycac.com/dodcerts.htm,) etc...
please help me install all needed certs, so this message stops appearing:
"Secure Connection Failed
An error occurred during a connection to akocert.us.army.mil.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site."
All Replies (16)
Please update to Firefox 19 Update Firefox to the latest release
updated, cleared history, closed, reopened. still no go.
I just found a solution that works to get past this error - and it's simple.
I copied/pasted the address of the site I was trying to connect to (i.e. the short string separated with periods - dtms.army.mil - for instance) into a Google search field. Then I clicked on the website it's trying to connect to (https://dtms.army.mil). (Possibly you could simply type it into your address field with with the "https://" at the beginning; I"m simply giving you how I discovered a solution.)
Attempting to go to that website should give you the same type of error, except that it gives you the option to add an exception. Once you've added an exception, you can go back to AKO and / or refresh the tab you were attempting to access My Training on.
You should install the DoD certificates in Firefox instead of adding an exception.
I have installed all the certs, as far as I know. You run into a problem accessing the My Training page with Firefox and you have to go around the error to even open the page.
You can download and save the InstallerRoot 3.16A file under Trust Store Management from this page:
That is a ZIP archive (unclass-installroot_v3-16a.zip) and you can import this file in the Firefox Certificate Manager
- unclass-installroot_v3-16a.zip/InstallRoot_v3.16A/PKCS7/InstallRoot_PKCS7_v3.16A.der.p7b
(you need to extract this p7b file).
If you get an error that the certificate is already installed then remove all install DoD certificates and close and restart Firefox.
You need the set all trust bits for the DoD Root Ca-2 certificate to make it possible to use it as a trusted root certificate.
All other are intermediate certificates and should never have trust bits set.
See the README.txt file in the InstallRoot_v3.16A/PKCS7/ folder for instructions
I just recently retired from my contractor job and since I'm also retired army I'm having to start accessing my AKO account from the house using my username/password. I tested it before turning my CAC in last Friday and work fine from my work computer. Trying today from home on my Linux box is another story. I keep getting
An error occurred during a connection to akocert.us.army.mil.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)
I've followed the instructions above and downloaded and installed the certs, still doesn't work. I'm running Firefox 22.0 Any help would be appreciated.
Is the CAC installed correctly?
- Tools > Options > Advanced : Encryption: Certificates > Security Devices
I'm not using a CAC on my home Linux box. Never have, I'm trying to log in with my username/password
I might add that when trying to install the InstallRoot_PKCS7_v3.16A.der.p7b cert I get the below:
This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.
Although when trying to install again it says certificate already installed. Also when the error pops up SSL peer cannot verify your certificate is it looking for 'my' certificate?
Modified
You need to remove all existing DOD certificates or at least the root certificate under the Authorities tab.
Also make sure to set all trust bits for the "DoD Root CA-2" certificate.
There are also EMAIL certificates installed that aren't needed for Firefox and can be removed.
Here is what I've done to no avail:
1. downloaded InstallRoot v3 16a.zip 2. Unzipped into two folders PKCS7 and Windows 3. Since I'm on Linux I opened PKCS7 and inside of that are these files: DoD_PKE_CA_chain.pem InstallRoot_PKCS7_v3.16A.der.p7b InstallRoot_PKCS7_v3.16A.pem.p7b InstallRoot_PKCS7_v3.16A.pem-signed.p7b InstallRoot_PKCS7_v3.16A.sha1 InstallRoot_PKCS7_v3.16A.sha256 README.txt
Per the 'ReadMe' file I imported the InstallRoot_PKCS7_v3.16A.der.p7b file after removing all the DoD certs. All trust bits are set for DoD Root CA 2. Still nothing. Is there a port I need to open on the firewall? All other sites work with no problem, is AKO really that different?
I have found that I can log directly into AKO webmail with no problem with this link https://webmail.us.army.mil/ once logged in I can access the rest of the AKO site as normal. So my certs must be working right I just have no idea why I keep getting the SSL error when trying to log in normally.
I have no intention of killing off a working client certificate system (works with IE, Chrome, etc) just to make Firefox happy. Firefox requires a fix.
They only difference seems to be that they do not send DoD intermediate certificates apart from the fact that Firefox doesn't have the DoD root certificates. So all required intermediate certificates need to be installed as well in addition to the root certificate and also a possible CAC reader needs to be installed and working properly.
- Firefox/Tools > Options > Advanced > Encryption: Certificates > Security Devices
My CAC reader is installed on the system. The card is in place and logged in. It works everywhere except Firefox. Going back to Chrome.