Wiki Table of Contents

DoD Common Access Card (CAC) Reader


US Department of Defense (DoD) now limits access to many of its websites to be via a smart Common Access Card (CAC) authenticated with a Personal Identification Number (PIN). The following is a guide to assist in setting up MX Linux to access CAC-enabled DoD websites.

Install the Middleware

The Linux CAC Reader stack is based on a set of middleware called PCSC (Personal Computer Smart Card), written by the MUSCLE (Movement for the Use of Smart Cards in a Linux Environment) project.

Enter this into Terminal and execute:

sudo apt install libpcsclite1 pcscd pcsc-tools

PKCS #11 module

There are three working modules to access the PKCS #11 keys on your CAC. Each have their strengths and limitations. You will need to choose which version works best for you. In most situations, CoolKey is preferred.


OpenSC provides a set of utilities to access smart cards. It facilitates their use in security applications such as mail encryption, authentication, and digital signature. This module has a broader feature set than CoolKey or CACkey and you are able to access your PIV certificate for those individuals that are Dual Persona. This module is speedy like CoolKey and doesn’t lag like CACkey. The downside is, this module does cause the pcsc daemon to require restarts from time to time. This may be the best option if you are dual persona and do not wish to use CACkey from DISA.

In Terminal:

sudo apt-get install opensc


Coolkey is available through the software repositories. This is arguably the most stable method for accessing your CAC. The downside is, Dual Persona individuals that have the activated PIV certificate will not be able to access it rendering you not able to access the DoD Enterprise Email certificates. If you are not Dual Persona this is by far the best module to use as it is stable, accesses certificates quickly and does not cause the pcsc daemon to hang. Note: Coolkey is not able to utilize PIV certificate. Direct link to the software package:

In Terminal:

sudo apt install coolkey

Smart Card Reader Driver

Without installing any additional drivers the following card readers are tested and work without issue: SCR3310 by SCM Microsystems (Currently being issued to members by the US Army for use on personal computers) SCR3500 by SCM Microsystems (Many members purchase this as a more compact alternative to the SCR3310) O2 Micro, Inc (built-in to many Dell laptops)

You may have to install additional drivers for your hardware. Check your hardware and search using the key word pcsc.

Start Up the Daemon

To start the service in terminal:

sudo service pcscd start

To enable the service:

sudo update-rc.d pcscd defaults

Testing your Smart Card Driver

Open a terminal (ie konsole, x-term or other) and type/enter. You might have to insert a smart card in order for the message to pop-up.


Similar to the following means the card reader is working properly:

PC/SC device scanner V 1.4.18 (c) 2001-2011, Ludovic Rousseau <[email protected]> Compiled with PC/SC lite version: 1.8.8 Using reader plug’n play mechanism Scanning present readers… 0: O2 Micro Oz776 00 00 Sun Mar 24 11:40:07 2013 Reader 0: O2 Micro Oz776 00 00 Card state: Card removed

Similar to this indicates a need to check for additional driver requirements for your hardware:

PC/SC device scanner V 1.4.18 (c) 2001-2011, Ludovic Rousseau <[email protected]> Compiled with PC/SC lite version: 1.8.8 Using reader plug’n play mechanism Scanning present readers… Waiting for the first reader…

Authority Certificates

Download extract and install the DoD Certificates.

The certificates can be obtained from this link:

Make note of the location you stored these certificates

Configure Firefox

Firefox requires manual selection of the PKCS #11 module.

Import Certificates

The current method of installing the certificates is one-by-one. This can be done through Firefox import mechanism.

Firefox 56 and earlier

Preferences > Advanced > Encryption > View Certificates

Firefox 57 and later

Preferences > Privacy & Security
Scroll Down to Security Section
Select View Certificates

Continue for All versions of Firefox

Select the Import… button at the bottom of the dialog and install the following certificates.

  • Certificates_PKCS7_v5.10_WCF_DoD_WCF_Root_CA_1.der.p7b
  • Certificates_PKCS7_v5.10_WCF.der.p7b
  • Certificates_PKCS7_v5.10_WCF.pem.p7b

Set Firefox to Require Selection of Certificate

When accessing multiple CAC protected pages, some pages will require different certificates from the card. Some require the non-email certificate while Enterprise Email will require the email certificate.

Firefox 56 and earlier

Preferences > Advanced > Encryption
Select the radio button in front of “Ask me every time.”

Firefox 57 and later

Preferences > Privacy & Security
Scroll Down to Security Section
Below the Certificates heading, select the radio button in front of “Ask me every time.”
Set CAC Module

Firefox 56 and earlier

Select from the menu, Preferences > Advanced > Encryption > Security Devices

Firefox 57 and later

Open Preferences > Privacy & Security
Scroll Down to Security Section
Select Security Devices

Continue for All versions of Firefox

Check the left column. It should show an entry similar to “CAC Module” along with certificate(s) as a sub-item. If it doesn’t work then the entries are wrong.
Select the entry and select Unload to remove the security device

To install/reinstall the CAC driver in Firefox using the above listed Security Devices
Select Load on the dialog box

Module name should be something like: DoD CAC

Module filename: either type in or browse to the location of the, or drivers



Configure Chrome / Chromium

Unfortunately, Chrome (Chromium) doesn’t automatically recognize the CAC once you’ve completed all the previous steps but it doesn’t take much more work to get Chrome to work with the CAC.

In Terminal:

modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/

Make sure that the utility is properly installed, in Terminal:

modutil -dbdir sql:.pki/nssdb/ -list

If it is properly installed there will be an entry with “CAC Module” and details of the library, slot and status. If you were not in your home directory when configuring modutil you will receive an error like:

“modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.”

Chrome should now be able to utilize the CAC without any issues

Removing CAC Module

If you have previously installed and you wish to utilize CoolKey instead, you will have to unload the “CAC Module”:

modutil  -dbdir sql:.pki/nssdb/ -delete “CAC Module”

Test out your browser

Go to a CAC-enabled web site ( and test the CAC login.

Be patient as there may be a delay while authenticating with the CAC.

The PIN and certificate selection authentication process is in the reverse of what you may be used to when using non-Linux machines. Expect to be prompted first for PIN and then certificate selection.


At anytime if you don’t seem to get response from the Smart Card, check and see if the daemon is active by executing this in terminal:


If you remove and insert your card with no response during the scan, the daemon has crashed.

If you find that the pcsc daemon has crashed you can run this in terminal to restart the daemon:

sudo service pcscd restart

External Links Linux Page
CACkey Alternate Download Site

2 thoughts on “DoD Common Access Card (CAC) Reader”

  1. This guide has been awesome. My Firefox works great, however, I cannot get my Chromium to do anything. I loaded the DOD certs into it and have tried several websites with no luck. The browser never prompts me for a cert. Any advice?

  2. These instructions are great – I was able to get it working with Firefox, Chrome, Chromium, and even Brave on Peppermint Linux 10.
    Note that requires PIV certs for everyone now, not just those with Dual Personas. To get to work, you MUST use OpenSC. CoolKey won’t work.


Leave a Comment

MX Linux