Howdy!
I’ve been converting my main workstation over to NixOS (from Arch) over the past few months. One sticking point is Citrix. I work, in part, for the VA, and use their Citrix Workspace to access the electronic medical record system (this is the only way to access it off-campus).
Using a prior post here and the Arch Wiki, I was able to get Citrix installed, as well as the needed certs.
Login with PIV card (also called CAC) via the browser (I’ve tried Firefox, Chrome, Chromium) works just fine - it asks me for my pin, authenticates, and I can download the .ica
file and launch the VM (without the card inserted, it fails to load the login page, which is the correct behavior).
However, within the Windows VM, doing most things requires secondary authentication, using the PIV card credentials. The Windows VM doesn’t seem to be detecting my card. I’m guessing it’s a passthrough problem, but not sure how to troubleshoot. It works fine on my Arch install, without any configuration beyond what the Arch wiki describes.
My config file is below:
1 {
2 │ pkgs,
3 │ ...
4 }: let
5 │ # Certs have to be manually downloaded for now (I'm sure it could be scripted).
6 │ # General site (no login required): https://public.cyber.mil/pki-pke/pkipke-document-library/
7 │ # Search for "PKCS," pick the "DoD PKI Only" one.
8 │ # Direct link to specific file as of 2023-09-01: https://dl.dod.cyber.mil/wp-
» content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip
9 │ # Unzip into 'va-certs' and rm the cruft, then import in this order:
10 │ # (`der`, followed by `root_ca_*`, then `pem`).
11 │ extraCerts = [
12 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_der.p7b
13 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_dod_root_ca_3_der.p7b
14 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_dod_root_ca_4_der.p7b
15 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_dod_root_ca_5_der.p7b
16 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_dod_root_ca_6_der.p7b
17 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_pem.p7b
18 │ ];
19 in {
20 │ environment.systemPackages = [
21 │ │ (pkgs.citrix_workspace.override {inherit extraCerts;})
22 │ │ pkgs.ccid
23 │ │ pkgs.opensc
24 │ ];
25 │ │
26 │ services.pcscd.enable = true;
27 │ security.pam.p11.enable = true;
28 │ security.pki.certificateFiles = [
29 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_pem.p7b # only takes `pem` files
30 │ ];
31 }