I am building a python application to pull data from a website. The application has to authenticate(HTTPS/SSL) with a CAC card and pin in order to make requests.
Am I correct in my assumptions that you can't retrieve the private key from a CAC card, and am therefore stuck using a PKCS #11 Wrapper like PyKCS?
Any tips or resources for going about this?
You are correct. That's the whole purpose of the smart card to keep the private keys safe. If your application is running in Windows you can try using WININET.DLL for your connectivity, with the correct middleware installed it should handle authentication to the CAC enabled site automatically.
Authentication and signature keys are usually generated on the card and are not extractable, unlike encryption keys which can/should be escrowed somewhere.
See http://stackoverflow.com/questions/2195179/need-help-using-m2crypto-engine-to-access-usb-token for an example with M2Crypto that explains how to use a smart card via PKCS#11 for website access in python.
I would attempt to find out if an ECA cert is a suitable substitute. For example, there sites that accept CAC and ECA certs. For more info: http://iase.disa.mil/pki/eca/certificate.html