This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Receiving 403/403.7 certificate errors from certain sites with new CAC card

  • 3 replies
  • 3 have this problem
  • 3 views
  • Last reply by h0wdy

more options

Hello,

Whether or not I use CoolKey in Linux or ActivClient in windows, since getting a new CAC/smartcard, I cannot use various DoD and gov sites with Firefox in Linux or Windows.

For instance, I cannot access https://www.bol.navy.mil or https://mypay.dfas.mil/mypay.aspx (click on smartcard login). Although both sites prompt for my CAC pin, they do not allow me to choose a certificate, despite that setting being pressed, and just fail with such errors as:

403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

or

Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213)

---

AKO/Army Knowledge Online/NKO work fine, prompting for my CAC pin, and then prompting for which cert I want to use.

This has all started since I got a new CAC card last week.

When I use IE in Windows, all of the sites work fine. However, that's obviously not a solution, as I don't want to have to use vbox every time I want to access one of these sites.

The issue is in both win and Linux Firefox. I even tried Firefox on an Ubuntu live cd, and the same problem occurred, so it's not a cached cookie/cert issue either.

Any ideas?

Hello, Whether or not I use CoolKey in Linux or ActivClient in windows, since getting a new CAC/smartcard, I cannot use various DoD and gov sites with Firefox in Linux or Windows. For instance, I cannot access https://www.bol.navy.mil or https://mypay.dfas.mil/mypay.aspx (click on smartcard login). Although both sites prompt for my CAC pin, they do not allow me to choose a certificate, despite that setting being pressed, and just fail with such errors as: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied. or Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213) --- AKO/Army Knowledge Online/NKO work fine, prompting for my CAC pin, and then prompting for which cert I want to use. This has all started since I got a new CAC card last week. When I use IE in Windows, all of the sites work fine. However, that's obviously not a solution, as I don't want to have to use vbox every time I want to access one of these sites. The issue is in both win and Linux Firefox. I even tried Firefox on an Ubuntu live cd, and the same problem occurred, so it's not a cached cookie/cert issue either. Any ideas?

All Replies (3)

more options

Try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.

If that helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.

If that didn't help then remove or rename secmod.db (secmod.db.old) as well.

You can use this button to go to the currently used Firefox profile folder:

more options

I have tried this with new firefox profiles, in virtualbox with win32 firefox, etc.

Regardless, I removed both files and tried what you said, with the same problem.

more options

This problem continues to occur. Some .mil or .gov sites work, whereas others give such errors as:

The page requires a client certificate

The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server will recognize. The client certificate is used for identifying you as a valid user of the resource. Please try the following:

Contact the Web site administrator if you believe you should be able to view this directory or page without a client certificate, or to obtain a client certificate. If you already have a client certificate, use your Web browser's security features to ensure that your client certificate is installed properly. (Some Web browsers refer to client certificates as browser or personal certificates.) HTTP Error 403.7 - Forbidden: SSL client certificate is required. Internet Information Services (IIS)


All these same sites work with IE. The sites that don't work don't even prompt for a certificate with Firefox, they just go straight to failing.