Firefox CAC Setup

Firefox CAC Setup — More Steps, But Worth It

Getting Firefox to work with a CAC has gotten complicated with all the different middleware options, certificate stores, and about:config tweaks flying around. As someone who personally uses Firefox for DoD access and has configured it on dozens of machines for people who prefer it over Edge — I learned everything there is to know about making Firefox play nice with your CAC. Today, I will share it all with you.

Full disclosure: Firefox takes more work to set up for CAC than Edge or Chrome. That’s because Firefox does its own thing with certificates — it maintains a completely independent certificate database instead of using the Windows certificate store. On one hand, this is annoying because it means extra setup steps. On the other hand, it’s actually kind of nice because Firefox won’t break when Windows updates do something weird to the system certificate store.

Why Firefox Needs Special Attention

That’s what makes Firefox endearing to us privacy-conscious folks — it marches to its own drum. But for CAC purposes, it means you have to:

• Import DoD root and intermediate certificates directly into Firefox’s own certificate store
• Tell Firefox where your smart card middleware lives so it can talk to your CAC
• Adjust a few security settings to ensure DoD site compatibility

The upside? Once you do this, Firefox is rock-solid for DoD access. It doesn’t usually break after Windows updates, and it rarely needs reconfiguration once it’s set up properly. I’ve had my setup stable for months at a time.

Probably Should Have Led With This Section, Honestly

Getting the certificates imported is the foundation of the whole setup. Skip this or do it wrong, and nothing else matters.

1. Download DoD certificates: Grab the latest AllCerts.zip from MilitaryCAC.com or your organization’s software portal. Don’t use old certificate files you found on a thumb drive from 2023.
2. Extract everything: Unzip to a folder on your desktop where you can find it easily
3. Open Firefox’s Certificate Manager:
   • Click the hamburger menu (three horizontal lines) > Settings > Privacy & Security
   • Scroll down until you see the “Certificates” section and click “View Certificates”
4. Import the root certificates:
   • Click the “Authorities” tab
   • Click “Import” and browse to your extracted certificate folder
   • Select files that start with “DoD_Root” — these are the root CAs
   • When Firefox asks how to trust this certificate, check “Trust this CA to identify websites” — this is the critical checkbox
   • Click OK and repeat for every root certificate file
5. Import intermediate certificates:
   • Same process, but now import the intermediate certificates
   • These usually have names like “DOD_ID_CA” or “DOD_EMAIL_CA”

To verify they imported correctly, search for “DoD” in the certificate manager. You should see a bunch of entries. If they’re there, you’re halfway done.

Loading the Security Device (The PKCS#11 Module)

This is where you tell Firefox how to find your CAC. You need to point it at the PKCS#11 module file that your smart card middleware provides:

1. In Firefox, type about:preferences#privacy in the address bar and hit Enter
2. Scroll down to “Certificates” and click “Security Devices”
3. Click “Load” to add a new device module
4. Give it a name you’ll recognize — I use “CAC Module” because I’m not creative
5. Click “Browse” and navigate to the right file for your middleware:
   • ActivClient: C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll
   • 90Meter: C:\Program Files\90meter\pkcs11\90meterpkcs11.dll
   • OpenSC: C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
   • Windows Built-in: C:\Windows\System32\OneCore\Microsoft.Windows.Security.Credentials.SecondaryAuthenticationFactor.pkcs11.dll (yes, that’s the actual path)
6. Click OK and verify the module appears in the Security Devices list
7. With your CAC inserted, you should see your card and its certificates listed under the new module

Can’t find the DLL file? It might be installed in a slightly different directory depending on your middleware version. Search your C: drive for files ending in “pkcs11.dll” — that should find it.

The about:config Tweaks That Matter

Firefox has some hidden settings that can make or break your CAC experience. Type about:config in the address bar, click past the warning (“Accept the Risk and Continue”), and then search for these settings:

To change a setting, just double-click it or click the toggle button. Most changes take effect immediately — no browser restart needed.

Testing Your Setup

Time to see if all that work paid off:

1. Make sure your CAC is in the reader
2. Navigate to a CAC-required DoD site — try your organization’s webmail or milConnect
3. Firefox should pop up a certificate selection dialog showing certificates from your CAC
4. Select the authentication certificate and enter your PIN
5. If the site loads, you’re in business

If it doesn’t work, don’t panic. Firefox CAC setup has a lot of moving pieces, and it’s usually just one setting or one missing certificate causing the problem.

When Things Go Wrong

• No certificate prompt at all:
  • First check: is the security device loaded? Go back to Security Devices and verify your module is listed and shows your card
  • The PKCS#11 module path might be wrong — double-check that the DLL file actually exists at the path you entered
  • Try removing the module and re-adding it from scratch
• Certificate errors or trust warnings:
  • DoD root certificates probably aren’t imported into Firefox’s store, or they weren’t marked as trusted
  • Go back to Certificate Manager, find the DoD entries, double-click each one, and make sure “Trust this CA to identify websites” is checked
• “Secure connection failed” message:
  • Could be a TLS version mismatch — most DoD sites require TLS 1.2 or higher
  • Clear Firefox cache (Ctrl+Shift+Delete) and try again
  • Make sure you’re using the correct URL for the site
• Everything is slow:
  • Firefox is probably checking certificate revocation status via OCSP, and the OCSP server is either slow or unreachable
  • You can temporarily set security.OCSP.enabled to 0 for testing, but don’t leave it off permanently — it’s a security feature
• “Card not present” errors:
  • Is the card actually inserted? Check the reader LED.
  • Verify the Smart Card service is running in Windows services.msc
  • Try pulling the card out and reinserting it

Keeping It Working After Updates

Here’s a heads up: Firefox updates can occasionally reset settings or cause compatibility issues with the PKCS#11 module. After major Firefox updates:

• Check that your security device is still loaded — go to Security Devices and make sure your CAC module is there
• Verify your about:config settings haven’t reverted to defaults
• If you start seeing certificate trust errors, re-import the DoD root certificates

One recommendation I give everyone: consider using Firefox Extended Support Release (ESR) instead of the regular version. ESR gets security patches but fewer feature changes, which means less chance of an update breaking your CAC setup. A lot of government organizations actually mandate ESR for exactly this reason.

Firefox requires more initial setup than Edge or Chrome for CAC, but once it’s configured, it’s a solid browser for DoD access. The independent certificate store is a pain during setup but an advantage during maintenance — Windows updates won’t randomly break your Firefox CAC setup, which is more than I can say for some other browsers.

About John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.