macOS Sonoma CAC Setup Guide That Actually Works

in Setup Guides 11 min read

Getting CAC working on macOS Sonoma has gotten complicated with all the CryptoTokenKit changes, Keychain updates, and breaking changes from the Ventura-to-Sonoma upgrade flying around. As someone who runs a MacBook as my daily driver for DoD work — and spent a frustrating weekend getting CAC authentication working again after the Sonoma update broke everything — I learned everything there is to know about making this work on Apple’s latest OS. Today, I will share it all with you.

If your CAC worked perfectly on Monterey or Ventura and then broke after upgrading to Sonoma, you’re absolutely not alone. Apple changed several things under the hood that affect smart card handling, and the guides that worked before don’t all apply anymore. I had to figure out what changed and adapt — here’s the updated, tested process.

What Apple Changed in Sonoma (And Why Your CAC Broke)

Mac CAC setup

That’s what makes Apple updates endearing to us Mac-using military IT folks — they improve security, but they also break things we depend on. Specifically:

  • CryptoTokenKit got updated: This is the framework macOS uses to talk to smart cards. The changes affect how it discovers and communicates with CAC readers.
  • Keychain Access works differently: Certificate handling and trust settings changed, meaning old trust configurations might not carry over.
  • Safari got smarter: Better native smart card support overall, but the behavior is different from what you were used to.
  • Stricter certificate validation: Sonoma is more aggressive about checking certificate chains, which means previously working but slightly misconfigured setups now fail.

Hardware — Which Reader to Use

My Recommendations for Mac

  • Identiv uTrust 3700 F (USB-C): This is what I use. Direct USB-C connection, no adapter needed, no driver installation required. Best option for modern MacBooks, hands down.
  • SCM SCR3310v2 (USB-A): The old reliable. You’ll need a USB-A to USB-C adapter, but it works great.
  • HID Omnikey 3021 (USB-A): Good compatibility, compact form factor.

A Word About USB-C Adapters

If you’re using a USB-A reader on a newer MacBook, you’ll need an adapter. Here’s what I’ve learned:

  • Apple’s official USB-C to USB Adapter works reliably — it’s expensive for what it is, but it just works
  • Quality third-party adapters from known brands are fine
  • Avoid cheap multi-port hubs with sketchy power delivery — they cause intermittent disconnections that are maddening to troubleshoot

Step 1: Make Sure macOS Sees Your Reader

  1. Plug in your CAC reader
  2. Slide your CAC in
  3. Open Terminal (Applications > Utilities > Terminal)
  4. Run: system_profiler SPSmartCardsDataType

You should see your reader model and card information in the output. If you don’t see anything:

  • Try a different USB port or adapter
  • Restart your Mac with the reader already plugged in — sometimes macOS needs a fresh boot to pick up new USB devices
  • Check System Settings > Privacy & Security for any blocked extensions. Sonoma sometimes blocks new hardware drivers until you approve them.

Probably Should Have Led With This Section, Honestly

Installing DoD certificates is the most critical step. Without them, macOS doesn’t trust any DoD website or your CAC’s certificates. Everything fails.

Method 1: InstallRoot for Mac (Easiest)

  1. Download the Mac version from MilitaryCAC.com/macinstall.htm
  2. Run the installer package — it’ll ask for your Mac admin password
  3. Follow the prompts through to completion
  4. Restart your Mac afterward

Method 2: Manual Installation (If InstallRoot Doesn’t Work)

  1. Download the DoD certificate files from public.cyber.mil/pki-pke/
  2. Double-click each certificate file — it should open Keychain Access automatically
  3. When prompted, add them to the “System” keychain (not login — System)
  4. For each root CA certificate:
    • Find it in Keychain Access under the System keychain
    • Double-click it to open the details
    • Expand the “Trust” section
    • Change “When using this certificate” to “Always Trust”
    • Enter your Mac password when prompted

Yes, you have to set trust individually for each root certificate. It’s tedious. There’s no way around it. Do it anyway.

Step 3: Keychain Trust Configuration (Sonoma-Specific)

Sonoma is picky about explicit trust settings. Even if you used InstallRoot, verify the trust settings manually:

  1. Open Keychain Access (Applications > Utilities)
  2. Select “System” keychain in the left sidebar
  3. Click the “Certificates” category at the top
  4. Look for all certificates starting with “DoD Root CA”
  5. Double-click each one, expand Trust, and verify it says “Always Trust”
  6. If any say “Use System Defaults” or something else, change them to “Always Trust” and enter your password

I can’t stress this enough: “Use System Defaults” is NOT the same as “Always Trust” in Sonoma. Previous macOS versions were more forgiving about this. Sonoma is not.

Step 4: Safari (Your Best Bet on Mac)

Safari uses the macOS Keychain natively, so if you got the certificates and trust settings right, it should just work:

  1. Open Safari
  2. Navigate to a CAC-enabled site — milConnect is a good test
  3. Safari should prompt you to select a certificate from your CAC
  4. Choose your DoD ID certificate
  5. Enter your CAC PIN

If Safari Doesn’t Prompt for Your Certificate:

  • Make sure your CAC is inserted before you navigate to the site — order matters on Mac
  • Clear Safari’s data: Safari > Settings > Privacy > Manage Website Data > Remove All
  • Quit Safari completely (Command+Q, not just closing the window) and reopen it
  • Go back to Keychain Access and verify the certificate trust settings one more time

Step 5: Chrome on Mac

Chrome on macOS uses the Keychain, so certificates should work if Keychain is properly configured:

  1. Verify DoD certificates are trusted in Keychain (Step 3)
  2. Open Chrome and navigate to a CAC site
  3. Chrome should prompt for certificate selection

If Chrome Won’t Cooperate:

  • Go to chrome://settings/security
  • Click “Manage certificates” — this opens Keychain Access on Mac
  • Verify your CAC certificates appear when the card is inserted
  • Clear Chrome cache completely and restart the browser

Step 6: Firefox (Requires Extra Work, As Usual)

Firefox on Mac is the same story as Firefox on Windows — it maintains its own certificate store and needs manual configuration:

  1. Open Firefox Settings > Privacy & Security
  2. Scroll to “Certificates” and click “View Certificates”
  3. Under the “Authorities” tab, import all the DoD root certificates
  4. Check “Trust this CA to identify websites” for each one
  5. Go back to Privacy & Security and click “Security Devices”
  6. Click “Load”
  7. Name it “CAC”
  8. For the module path, enter: /usr/lib/ssh-keychain.dylib

If that path doesn’t work — and it might not depending on your setup — try these alternatives:

  • /usr/local/lib/opensc-pkcs11.so (if you installed OpenSC via Homebrew)
  • /Library/OpenSC/lib/opensc-pkcs11.so (if OpenSC was installed via the package installer)

Sonoma-Specific Troubleshooting

“Smart card could not be read”

  • Restart your Mac with the reader already connected — Sonoma sometimes needs a cold start to initialize CryptoTokenKit properly
  • Open Terminal and run: sudo pkill -9 com.apple.ctkd — this kills the CryptoTokenKit daemon and forces it to restart fresh
  • Check System Settings > Privacy & Security for any blocked items related to your reader

Certificates Don’t Show Up in Keychain

  • Open Terminal and run: security list-smartcards
  • If no cards are listed, macOS isn’t recognizing your reader at the OS level
  • Try a different USB port, a different adapter, or a different reader entirely

“Certificate Not Trusted” Even After You Set Trust

  • Go back into Keychain Access and explicitly verify each DoD Root CA is set to “Always Trust”
  • Restart your Mac after changing trust settings — Sonoma sometimes needs a reboot to pick up trust changes
  • If all else fails, delete the certificate from Keychain and reinstall it: sudo security delete-certificate -c "DoD Root CA 3", then re-import

PIN Prompt Never Shows Up

  • Always insert your CAC before opening the browser. The order matters more on Mac than it does on Windows.
  • Verify CryptoTokenKit sees the card: security list-smartcards
  • Force restart the smart card daemon: sudo pkill -9 com.apple.ctkd

Things That Just Don’t Work on Sonoma (Yet)

  • Some legacy DoD sites that require older security protocols — try a different browser or fall back to a VM
  • Certain Bluetooth CAC readers have reduced compatibility with Sonoma’s updated Bluetooth stack
  • Screen sharing and remote desktop CAC passthrough is limited — if you need to authenticate to a remote session, it may not pass through your local CAC

Quick Verification Checklist

  1. Reader detected: Run system_profiler SPSmartCardsDataType — should show your reader
  2. Card readable: Run security list-smartcards — should list your card
  3. Certs in Keychain: Open Keychain Access > look for your personal certificates when CAC is inserted
  4. DoD roots trusted: Keychain Access > System keychain > Certificates > verify DoD Root CAs say “Always Trust”
  5. Browser test: Navigate to milConnect in Safari — should get certificate prompt

The Backup Plan: Windows VM

If you absolutely cannot get native macOS CAC working — and sometimes that’s just how it goes with Apple’s changes — running Windows in a VM is a legitimate fallback:

  • Use Parallels Desktop or VMware Fusion to run Windows
  • Pass your USB CAC reader through to the VM in the VM’s USB device settings
  • Configure CAC in Windows using the standard Windows setup process

It’s not elegant, but it works. I keep a Windows VM on my MacBook specifically for the DoD sites that refuse to cooperate with macOS.

The Bottom Line

For the smoothest CAC experience on macOS Sonoma:

  1. Use a USB-C reader if possible — fewer adapter complications
  2. Install DoD certificates using InstallRoot for Mac
  3. Manually verify and set “Always Trust” for every DoD Root CA in Keychain Access
  4. Use Safari as your primary browser for DoD sites — it has the best native integration
  5. Firefox works but needs its own certificate imports and PKCS#11 module setup

Most Sonoma CAC issues come down to two things: certificate trust settings in Keychain and reader detection through CryptoTokenKit. Work through those methodically, and you’ll get it sorted. And if you just upgraded and everything broke — restart your Mac first. You’d be amazed how often that fixes the problem entirely.

Last tested: December 2025 on macOS Sonoma 14.5

John Bigley

About John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.

Mike Thompson

Mike Thompson

Author & Expert

Mike Thompson is a former DoD IT specialist with 15 years of experience supporting military networks and CAC authentication systems. He holds CompTIA Security+ and CISSP certifications and now helps service members and government employees solve their CAC reader and certificate problems.

72 Articles
View All Posts

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *