Search MilitaryCAC:

Site Map

Please ShareThis website with your friends and colleagues

  MilitaryCAC.com logo

.com | .us | .ml  | .mobi | .net | .org

 

The Definitive Source for Everything CAC

Common Access Card help for your

Personal Computer

 Be notified of
page updates
it's private
powered by
ChangeDetection

 

Also available at:

https://MilitaryCAC.com

 

Make a Donation button image

 

 

PERSONAL IDENTITY VERIFICATION (PIV) ACTIVATION INFORMATION PAGE (including updating Email address on CAC) 64bit / 32bit

 
Enterprise Webmail link:

https://web.mail.mil

    

Dual Persona users have to activate the PIV on each of their CACs in order to access their Enterprise Email account(s).

 

Accessing web.mail.mil requires the steps below and an existing DoD Enterprise Email address

 

Windows Installation Steps

Step 1: Obtain a CAC Reader
Step 2: CAC Reader driver
Step 3: DoD Certificates
Step 4: ActivClient  (or Smart Card Manager)  The built in Smart Card ability of Windows 7, 8, 8.1, & 10 will not see the PIV certificate
Step 4a: Update ActivClient
Step 5: IE adjustments
Step 6: Select the PIV certificate when prompted

 

Example, select U.S. Government PIV, NOT the DOD EMAIL certificate
PIV image

Windows 10 users will see this
Windows 10 cert selection

Mac users needing to use their PIV certificate need to select one of the non Email certs and scroll down to verify the NT Principal Name.  It will be your 10 digit DoD ID # followed immediately by 6 more digits: 121004 = MIL, 121002 = CIV, 121005 = CTR, or 121001 = NAF.  If you don't see NT Principal Name, select the other non email certificate.  If you don't see another option, then you may need to find a Windows computer and reactivate your PIV cert again.
NTPrincipalName


Mac Users - The ability to activate your PIV is not possible on the Mac OS.  You need to find a Windows 7 (or 10) computer (maybe at your unit), or virtualize Windows and then follow the information on this page..

How to activate your PIV Certificate on your CAC on a Windows 10 computer with ActivID 7.1.0.153

 

 

 

 

Question / Problem: How do I "add" a PIV certificate to my CAC, so, I can access my DoD Enterprise Email?  Technically, the PIV cert is already on your CAC but is hidden by default.  Since DMDC has classified you as a "Dual Persona" individual you need to "expose" it.  (Dual Persona is an Army Reserve [or Guard] Soldier who is [or has ever also been] a DoD civilian [or contractor] therefore authorized to carry two CACs at the same time).  Some people who were previously a contractor [or civilian] in the past [even if you left the job] and are still classified as dual persona.  This may be a reason why you cannot access your webmail.  If you want to verify this first, call the Army Enterprise Service Desk (866-335-2769) and have them check your status in DEPO. 

.

Solution 1 (highest success rate) - Windows 7 computers with ActivClient 6.2.0.x & Java:  Read notes below FIRST, Go to:  https://www.dmdc.osd.mil/self_service

Note: Some of the screens may look different, since DMDC has modified their webpage and not updated their guide.

NOTE2:  If you have problems while on the RAPIDS Self Service website, contact the DMDC help desk.

 

Some items NOT mentioned in the guide above: 

--You cannot use the same email address on both cards.  See error message.   Here's how to change your email address on your CAC.  This can also be used to add an email address to your CAC if you don't already have an email address on it.

--Your system needs to be all 32 bit or all 64 bit, which means:

 

 

PIV Activation on a 64 bit Windows Computer

.

NOTE: This process will NOT work with the built in Smart Card utility in Windows 10, 8.1, 8, or 7.  It requires ActivClient / ActivID on the Windows computer

 

PIV Activation Step 1- Install ActivClient / ActivID

 

-64 bit ActivID 7.1.0.153 (Windows 10, 8.1, 8, & 7 users)

 

PIV Activation Step 2- Install 64 bit Java from https://java.com/en/download/manual.jsp, Select: Windows Offline (64-bit)

 .

PIV Activation Step 3- Add 3 web addresses to:  Control Panel > Java > Security (tab) > Edit Site List:   https://pki.dmdc.osd.mil, https://www.dmdc.osd.mil, and https://idco.dmdc.osd.mil

 

PIV Activation Step 4- In Internet Explorer 11, Select Enable 64-bit processes for Enhanced Protected Mode* [in Internet Options, Advanced Tab] to run IE in 64 bit mode.  By default, IE 11 runs in 32 bit mode.  More information can be read here. 

 

PIV Activation Step 5-  Visit https://www.dmdc.osd.mil/self_service

 

 

 

PIV Activation on a 32 bit Windows Computer

 

NOTE: This process will NOT work with the built in Smart Card utility in Windows 10, 8.1, 8, or 7.  It requires ActivClient / ActivID on the computer

 

PIV Activation Step 1- Install ActivClient / ActivID

 

-32 bit ActivID 7.1.0.153 (Windows 10, 8.1, 8, & 7 users)

 

PIV Activation Step 2- Install Java from https://www.java.com

 

PIV Activation Step 3- Add 3 web addresses to:  Control Panel > Java > Security (tab) > Edit Site List:   https://pki.dmdc.osd.mil, https://www.dmdc.osd.mil, and https://idco.dmdc.osd.mil

 

-32 bit Internet Explorer (Start, All Programs, Internet Explorer) Windows 8, do NOT use the IE from the tiles menu

 

PIV Activation Step 4-  Visit https://www.dmdc.osd.mil/self_service

 

 

Immediately after your PIV is activated, remove your CAC from the reader, then reinsert it.  You "should" now see 4 certificates when looking in Internet Explorer, Tools, Internet Options, Content (tab), certificates (button), Personal (tab).

 

 

Non-Solution for Mac Users:  I have found no way for you to activate your PIV using a Mac.  The recommended method is to find a Windows 10, 7, Vista, or XP computer and follow Instructions above.

 

 

Solution 2:  DMDCs Self Service website is working better now than it did originally for activating users PIV authentication certificate.  This affects every person who hold the dual persona role(s).  You can manually configure ActivClient to expose your PIV cert on your computer (Windows 7, Vista, or XP with ActivClient 6.2.0.x installed).  This will have to be done on every computer you need to access your mail.mil email on.  This solution negates the issue with DMDCs Self Service website to expose your certificate. 

 .

Here's how to expose your PIV cert via ActivClient using Windows 7

NOTE: If you use WAWF, DO NOT do this, you must activate your PIV above.

 -ActivClient 6.2.0.x users need to update to the latest version.  [You can ignore the need for restart here] 

-After you have installed the latest update, open ActivClient, Click Tools, Advanced, Configuration (requires elevated access on Government systems), scroll down [and click on] Smart Card, click line titled: Prefer GSC-IS over PIV EndPoint...  change the Yes to a No

-You will be prompted to restart the computer.  After the restart every time you go to https://web.mail.mil,  you'll have to select the certificate that says PIV, (NOT the Email certificate).  Government computer users will need to make sure they select the 10 digit certificate to login to the computer, and 16 digit to check your email.  If you select the 16 digit during login, you will get DoD visitor, or Credentials cannot be verified error message.

--ActivClient 7.0.2.x users need to update to the latest version, then modify the following registry key for this option:  HKEY_LOCAL_MACHINE \ SOFTWARE \ ActivIdentity \ ActivClient \ Card Discover \ CardEdge \ DefaultCardEdge =1

--ActivClient update version of 7.0.2.308 and above show your PIV automatically.

--Another person had to modify this registry key instead:  HKEY_LOCAL_MACHINE \ SOFTWARE \ ActivIdentity \ SecurityModuleMW \ DiscoveryProvider \ CardEdge \ PIVIgnoredExtensions \ Value 1 (Right click modify (change to 0 from 1))  See image

New image--ActivClient 7.1.0.x users need to modify the following registry key for this option: HKEY_LOCAL_MACHINE \ SOFTWARE \ HID Global \ SecurityModuleMW \ DiscoveryProvider \ CardEdge \ PIVIgnoredExtensions \ Value 1 (Right click modify (change to 0 from 1)) See image

 

WAWF (Wide Area Work Flow) users:  When the Wide Area Workflow website updated and moved to CAC / certificate only logon, a Dual-Persona user who has the ActivClient setting changed will find out the WAWF website will not correctly read their DoD x.509 certificate and will therefore receive a 'No Certificates Found!' message.

If you are a Dual Persona and need to access both Enterprise Email and WAWF, you MUST undo the ActivClient setting (change back to YES) and activate your PIV certificate via the RAPIDS Self Service website.  After that, the WAWF website will correctly read your certificates and allow you to register your CAC.

 

 

 

Question:  What exactly is "Dual Persona?"

 

Answer:  The easiest way to explain is to give you an example:  an Army Reserve [or Guard] Soldier who is also a DoD civilian [or contractor] who is authorized [or required] to have / carry / use two separate CACs.  We have found people who were previously a contractor [or civilian] during the past three to five years [even if they left the job a year ago] are still classified as a Dual Persona in the eyes of DMDC and DISA.

 

Individuals that fall into this category HAVE to activate their PIV certificate to be able to access their email in the DoD Enterprise Email.  If you want to validate this prior to going through this process.  Call the Army Enterprise Service Desk-Worldwide at 866-335-2769 and select Enterprise Email.  Ask the agent to look in DEPO to verify if you are PIV AUTH.

 

 

 

NOTE:  Java 7 update 71 was the last version that had the ability to slide the Security bar to Medium.  This is needed for the DMDC Self Service (PIV activation) site to work, read more here.  You can update to the current version of Java once you activate your PIV cert.

 

Download Java 7 update 71 (64 bit) from MilitaryCAC or AKO

 

Download Java 7 update 71 (32 bit) from MilitaryCAC or AKO 

 

 If you have questions or suggestions for this site, contact Michael J. Danberry
Are you interested in subscribing to the CACNews email list?

Disclaimer

 

ACRONYM Reference Page

 

GoDaddy Site Certified seal

.

Last Update or Review:  Tuesday, 19 September 2017 14:28 hrs

 

The following domain names all resolve to the same website:  ChiefsCACSite.com, CommonAccessCard.us, CommonAccessCard.info, & ChiefGeek.us