Firefox CAC Setup

Firefox CAC Setup Overview

Firefox uses its own certificate store rather than the Windows certificate store, which means additional configuration is required for CAC authentication. While this adds setup steps compared to Edge or Chrome, Firefox can be a reliable and secure browser for DoD websites once properly configured. Many users prefer Firefox for its privacy features and customization options.

Why Firefox Requires Extra Setup

Unlike Chrome and Edge, which rely on the Windows certificate store, Firefox maintains its own independent certificate database. This design choice provides better cross-platform consistency but means you must:

• Import DoD root certificates directly into Firefox
• Configure Firefox to recognize your smart card middleware
• Adjust security settings for DoD site compatibility

The good news is that once configured, Firefox typically works reliably with DoD sites and doesn’t require reconfiguration after Windows updates.

Installing Certificates in Firefox

1. Download DoD certificates: Get the latest AllCerts.zip from militarycac.com or your organization’s software portal
2. Extract the certificate files: Unzip to a folder you can easily find
3. Open Firefox Certificate Manager:
   • Click the menu (three lines) → Settings → Privacy & Security
   • Scroll down to “Certificates” section and click “View Certificates”
4. Import root certificates:
   • Go to the “Authorities” tab
   • Click “Import” and navigate to your extracted certificates
   • Select each DoD root certificate file (files starting with “DoD_Root”)
   • When prompted, check “Trust this CA to identify websites”
   • Click OK and repeat for all root certificates
5. Import intermediate certificates:
   • Repeat the import process for intermediate certificates
   • These typically have names like “DOD_ID_CA” or “DOD_EMAIL_CA”

You can verify certificates imported correctly by searching for “DoD” in the certificate manager – you should see multiple DoD entries.

Configuring Security Devices

Firefox needs to know where to find your CAC through your smart card middleware. This step connects Firefox to the PKCS#11 module provided by your middleware software:

1. In Firefox, type about:preferences#privacy in the address bar
2. Scroll to “Certificates” section and click “Security Devices”
3. Click “Load” to add a new device
4. Enter a module name (e.g., “CAC Module” or “DoD CAC”)
5. Click “Browse” and navigate to your middleware’s PKCS#11 module file:
   • ActivClient: C:Program FilesActivIdentityActivClientacpkcs211.dll
   • 90Meter: C:Program Files90meterpkcs1190meterpkcs11.dll
   • OpenSC: C:Program FilesOpenSC ProjectOpenSCpkcs11opensc-pkcs11.dll
   • Windows Built-in (Windows 10/11): C:WindowsSystem32OneCoreMicrosoft.Windows.Security.Credentials.SecondaryAuthenticationFactor.pkcs11.dll
6. Click OK and verify the module appears in the Security Devices list
7. With your CAC inserted, you should see your card listed under the new module

If you don’t see your middleware file at the expected location, it may be installed in a different directory. Search your C: drive for files ending in “pkcs11.dll”.

Firefox About:Config Settings

Advanced settings can improve CAC compatibility. These settings are accessed through Firefox’s hidden configuration page:

1. Type about:config in the address bar and press Enter
2. Click “Accept the Risk and Continue” on the warning page
3. Use the search bar to find and verify these settings:

To change a setting, double-click on it or click the toggle button. Changes take effect immediately without requiring a restart in most cases.

Testing Your Firefox CAC Setup

After completing the configuration:

1. Insert your CAC into the reader
2. Navigate to a CAC-required DoD site (such as your organization’s webmail)
3. Firefox should prompt you to select a certificate from your CAC
4. Enter your CAC PIN when prompted
5. You should successfully authenticate to the site

Troubleshooting Firefox CAC Issues

• No certificate prompt appears:
  • Security device may not be loaded – check Security Devices in Firefox settings
  • PKCS#11 module path may be incorrect – verify the file exists
  • Try removing and re-adding the security device
• Certificate errors or warnings:
  • DoD root certificates may not be installed in Firefox’s store
  • Re-import certificates and ensure you trusted them for website identification
• “Secure connection failed” message:
  • Check that TLS settings aren’t blocking DoD sites
  • Clear Firefox cache and try again
  • Verify the site URL is correct
• Slow authentication:
  • Firefox may be checking certificate revocation status
  • OCSP servers may be slow or unreachable
  • Consider temporarily disabling OCSP for testing (not recommended for production use)
• “Card not present” errors:
  • Verify CAC is fully inserted in the reader
  • Check smart card service is running in Windows
  • Try removing and reinserting the card

Keeping Firefox CAC Working

Firefox updates may occasionally reset settings or cause compatibility issues. After major Firefox updates:

• Verify your security device is still configured
• Check that about:config settings haven’t been reset
• Re-import certificates if you see trust errors

Consider enabling Firefox’s Extended Support Release (ESR) if you need maximum stability for CAC access, as ESR receives fewer disruptive updates than the regular release channel.

About John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.