Using your CAC on Linux is entirely possible, though it requires more manual configuration than Windows or macOS. Ubuntu and Fedora are the most viable options for DoD users who need to access CAC-protected resources from a Linux workstation. Here’s the complete setup process.
Why Linux for CAC?
Several legitimate reasons exist for running CAC on Linux:
- Development work: Many DoD development environments run on Linux
- Secure systems: Some security-focused operations prefer Linux
- Personal preference: Some users are simply more productive on Linux
- Hardware compatibility: Older systems may run better on lightweight Linux distributions
That said, Linux CAC support has limitations. Some DoD websites simply won’t work, and you won’t get official IT support. Know what you’re getting into before committing.
Choosing Your Distribution
Ubuntu (Recommended)
Ubuntu offers the best balance of user-friendliness and CAC compatibility. Use the LTS (Long Term Support) version—currently Ubuntu 22.04 or 24.04 LTS. These versions receive security updates for five years and have the most community documentation for CAC setup.
Fedora
Fedora works well and often has newer packages. It’s more cutting-edge than Ubuntu, which can be both an advantage (newer software) and disadvantage (occasional compatibility issues). Fedora 39 or 40 are solid choices.
Red Hat Enterprise Linux (RHEL)
If your organization provides RHEL licenses, this is arguably the best choice for DoD work. It’s the enterprise standard and has the most official support. The setup process is nearly identical to Fedora.
Distributions to Avoid
Arch Linux, Gentoo, and other “build-it-yourself” distributions require significant additional work. Rolling-release distributions can break CAC functionality after updates. Stick with stable, mainstream distributions unless you’re comfortable debugging certificate issues.
Hardware Requirements
Your CAC reader must be CCID-compliant, which most modern readers are. Recommended readers:
- SCR3310: Widely compatible, reliable on Linux
- Identiv uTrust 3700F: Works well, USB-C available
- HID Omnikey 3021: Good compatibility
USB-C readers generally work fine through adapters. Keyboard-integrated readers are hit-or-miss—standalone readers are more reliable.
Step 1: Install Required Packages
Ubuntu/Debian
Open a terminal and run:
sudo apt update
sudo apt install pcscd pcsc-tools opensc libengine-pkcs11-openssl libnss3-toolsFedora/RHEL
sudo dnf install pcsc-lite pcsc-tools opensc nss-toolsThese packages provide:
- pcscd: The PC/SC Smart Card Daemon—the service that communicates with your reader
- pcsc-tools: Diagnostic utilities for testing your reader
- opensc: Smart card middleware that handles CAC communication
- nss-tools: Tools for managing certificate databases used by Firefox and Chrome
Step 2: Start and Enable the Smart Card Service
The pcscd service must be running for your CAC reader to work:
sudo systemctl start pcscd
sudo systemctl enable pcscdThis starts the service immediately and ensures it starts automatically on boot.
Step 3: Test Your Reader
Connect your CAC reader and insert your CAC. Then run:
pcsc_scanYou should see output similar to:
PC/SC device scanner
Scanning present readers...
Reader 0: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00
Card state: Card inserted
ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80If you see “Card inserted” and an ATR (Answer to Reset) value, your reader is working. Press Ctrl+C to exit.
Troubleshooting Reader Detection
If pcsc_scan doesn’t detect your reader:
- Try a different USB port (rear ports are more reliable)
- Check if the reader appears in
lsusboutput - Restart pcscd:
sudo systemctl restart pcscd - Check for driver issues:
dmesg | tail -20
Step 4: Install DoD Root Certificates
This is the most critical step. Without DoD root certificates, your browser won’t trust CAC-authenticated sites.
Download the Certificates
Get the DoD root certificates from the official DISA source:
- Visit public.cyber.mil/pki-pke/
- Download the “PKI CA Certificate Bundles: PKCS#7” package
- Extract the zip file
Alternatively, use the certificates from MilitaryCAC:
wget https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip
unzip unclass-certificates_pkcs7_DoD.zipConvert and Install for Firefox
Firefox uses its own certificate store. You’ll need to import certificates using certutil:
# Create the certificate database if it doesn't exist
mkdir -p ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password
# Import each DoD root certificate
# Repeat for each .cer or .crt file in the bundle
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,CT,CT" -n "DoD Root CA 3" -i Certificates_PKCS7_v5.9_DoD/DoD_PKE_PEM/DOD_Root_CA_3.cerThe -t “CT,CT,CT” flag marks the certificate as trusted for all purposes.
Install for System-Wide Trust (Chrome/Chromium)
For Chrome and system applications:
# Ubuntu/Debian
sudo cp *.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# Fedora/RHEL
sudo cp *.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trustStep 5: Configure Firefox for CAC
Firefox needs to be told where to find your CAC middleware:
- Open Firefox and navigate to
about:preferences#privacy - Scroll down to “Certificates” and click “Security Devices”
- Click “Load”
- Enter a name like “CAC Module”
- For the module filename, enter:
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
The path may vary by distribution. Common locations:
- Ubuntu:
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so - Fedora:
/usr/lib64/opensc-pkcs11.so
Click OK. You should see your CAC certificates listed when you click “View Certificates” and look under the “Your Certificates” tab.
Step 6: Configure Chrome/Chromium
Chrome uses the NSS certificate database, which you already set up. To load the CAC module:
modutil -dbdir sql:$HOME/.pki/nssdb -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.soRestart Chrome after running this command.
Step 7: Test CAC Authentication
Try accessing a CAC-required site:
- milConnect: milconnect.dmdc.osd.mil
- Air Force Portal: my.af.mil
- Army Knowledge Online: us.army.mil
You should be prompted to select a certificate from your CAC. Select your authentication certificate (usually the one with “DOD ID CA” in the name) and enter your PIN.
Troubleshooting Common Issues
“Error: No Matching Certificates” When Accessing Sites
- DoD root certificates aren’t installed correctly
- Firefox security module isn’t configured
- Try restarting Firefox with your CAC inserted
“Smart Card Not Found” Errors
- pcscd service isn’t running:
sudo systemctl status pcscd - Reader not detected: check
pcsc_scanoutput - Wrong PKCS#11 module path in browser settings
PIN Dialog Never Appears
- The browser’s security module may not be loaded
- Check Firefox: Privacy & Security → Security Devices
- Ensure pcscd is running before starting the browser
Site Works in Windows But Not Linux
Some DoD sites use ActiveX or other Windows-specific technologies. These will never work on Linux. Common examples:
- Older DTS (Defense Travel System) interfaces
- Some MyPay functions
- Legacy ATAAPS time and attendance
For these sites, you’ll need a Windows machine or virtual machine.
Dual-Boot Considerations
For users who need both Linux and guaranteed Windows compatibility:
- Set up a dual-boot system with Windows for CAC sites that don’t work on Linux
- Keep Windows updated for security patches
- Use Linux for development work and general computing
- Boot into Windows when you need to access incompatible sites
Alternatively, run Windows in a virtual machine. CAC readers can be passed through to VMs using VirtualBox or VMware, though this adds complexity.
Keeping Your System Updated
Unlike Windows, where ActivClient handles most updates, Linux CAC users need to manually maintain their setup:
- System updates: Regular
apt update && apt upgradeordnf update - DoD certificates: Re-download and install when new root CAs are issued (typically annually)
- OpenSC: Update when new versions are available for your distribution
After major system updates, test your CAC setup to ensure nothing broke.
Quick Reference: Ubuntu Setup Commands
# Install packages
sudo apt update
sudo apt install pcscd pcsc-tools opensc libnss3-tools
# Start service
sudo systemctl start pcscd
sudo systemctl enable pcscd
# Test reader
pcsc_scan
# Set up certificate database
mkdir -p ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password
# Add CAC module to Chrome
modutil -dbdir sql:$HOME/.pki/nssdb -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.soQuick Reference: Fedora Setup Commands
# Install packages
sudo dnf install pcsc-lite pcsc-tools opensc nss-tools
# Start service
sudo systemctl start pcscd
sudo systemctl enable pcscd
# Test reader
pcsc_scan
# Set up certificate database
mkdir -p ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password
# Add CAC module to Chrome
modutil -dbdir sql:$HOME/.pki/nssdb -add "CAC Module" -libfile /usr/lib64/opensc-pkcs11.soLinux CAC setup requires more effort than Windows or macOS, but it’s entirely workable for users who prefer or require a Linux environment. The key is getting the root certificates and PKCS#11 module configured correctly—once that’s done, day-to-day usage is straightforward.
Last tested: December 2025 on Ubuntu 24.04 LTS and Fedora 40.
About John Bigley
John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.
Leave a Reply