How To Unlock Cac

Digitally signing emails with a CAC in Outlook has gotten complicated with all the certificate options, Trust Center menus, and policy changes flying around. As someone who has configured email signing for entire units — and personally answered the “which certificate do I pick?” question roughly a thousand times — I learned everything there is to know about getting this set up right the first time. Today, I will share it all with you.

Here’s the thing most people don’t realize: digitally signing your email proves the message actually came from you. Not someone spoofing your address, not someone who compromised your account — you, sitting at your desk with your CAC inserted. DoD policy requires it for emails with attachments or embedded links, and honestly, you should just sign everything. Takes two extra seconds once it’s configured.

What Signing Actually Does (Quick Version)

When you sign an email with your CAC:

• The recipient sees a verification badge — a little ribbon icon — confirming the message is legit and hasn’t been altered
• If anyone tampers with the message after you send it, the signature breaks and the recipient gets warned
• The message becomes legally attributable to you, which matters for official correspondence

That’s what makes digital signatures endearing to us security folks — they solve a real problem that’s only getting worse with phishing attacks targeting .mil addresses. A signed email is proof. An unsigned email is just trust.

Quick clarification because people mix these up all the time: signing is NOT the same as encrypting. Signing proves who sent it and that it wasn’t tampered with. Encryption protects the content from being read by unauthorized people. You can do both, but this guide focuses on signing.

Probably Should Have Led With This Section, Honestly

Before you touch Outlook’s settings, make sure these prerequisites are squared away. I’ve seen people spend an hour in the Trust Center only to realize their CAC reader wasn’t plugged in.

• Valid CAC: Flip your card over and check the expiration date. Expired card means expired certificates, which means you’re not signing anything.
• DoD Root Certificates: These need to be on your machine. If you haven’t done this, download InstallRoot from MilitaryCAC.com and run it as Administrator. It handles everything automatically.
• Working CAC Reader: Connected, recognized by Windows, LED on. Test it by opening certmgr.msc — if you can see your personal certificates, the reader is working.
• Middleware Running: ActivClient or whatever CAC middleware your organization uses should be active in the system tray. Most government workstations have this pre-installed, but if you’re on a personal machine, you might need to set it up.

Step 1: Get Into the Trust Center

Outlook buries the email security settings pretty deep. Here’s the path:

1. Click File at the top of Outlook
2. Select Options from the left sidebar
3. Click Trust Center — it’s near the bottom of the list on the left
4. Click the Trust Center Settings button
5. Select Email Security from the left panel

Now you’re in the right place. This is where all the signing and encryption magic happens.

Step 2: Create Your Security Settings Profile

Under the “Encrypted email” section:

1. Click the Settings button next to “Default Setting”
2. In the “Security Settings Name” field, type something you’ll recognize — I usually go with “DoD Email Signing” or just “CAC Signing”
3. Make sure “Cryptographic Format” is set to S/MIME — this is the standard DoD uses for email security

Step 3: Pick the Right Certificate (This Is Where People Mess Up)

Your CAC has multiple certificates on it, and picking the wrong one is the single most common mistake I see. Here’s how to get it right:

1. Next to “Signing Certificate,” click Choose
2. Make sure your CAC is inserted — Windows will probably ask for your PIN at this point
3. A list of certificates appears. You’re looking for the one labeled “DOD EMAIL” or “DOD CA-XX” that has your name and specifically lists email as its intended purpose
4. Select that certificate and click OK

Critical: Do NOT select the “DOD ID” certificate. That one is for authentication — logging into websites, VPN, that sort of thing. It’s not for email. The email signing certificate will specifically mention “Email” in the intended purposes field. If you’re not sure which is which, click on each one and look at the “Intended Purposes” or “Key Usage” details.

Step 4: Set Up Encryption Certificate (Optional But Smart)

If you ever send PII, CUI, or other sensitive content to external recipients, you’ll need encryption configured too:

1. Next to “Encryption Certificate,” click Choose
2. Select your DOD EMAIL encryption certificate — sometimes it’s the same as the signing cert, sometimes it’s a separate one
3. For “Encryption Algorithm,” pick AES (256-bit) — that’s the current DoD standard

Step 5: Decide on Auto-Signing

This is a personal preference, but I have a strong recommendation:

• To sign everything automatically: Check the box that says “Add digital signature to outgoing messages.” This is what I recommend. Set it and forget it.
• To sign only specific emails: Leave it unchecked and manually add signatures when you want them.

Per Air Force policy — and most other service branch policies track similarly — emails containing attachments or embedded links should be digitally signed. Since that covers about 80% of the email I send, I just enable auto-signing and don’t think about it. One less thing to remember.

Click OK to save your settings, then OK again to close out of Trust Center.

Step 6: Test It

Send yourself a test email:

1. Compose a new message and address it to yourself
2. If you didn’t enable automatic signing, click the Options tab in the message window and click Sign (looks like an envelope with a ribbon)
3. Outlook will ask for your CAC PIN
4. Send it

When the email arrives, you should see a ribbon or badge icon on the message. Click it to verify the signature details. If it says “signed by [your name]” and the signature is valid, you’re done. Congrats.

Signing Individual Emails (If You Didn’t Auto-Enable)

For those who prefer to sign selectively:

1. Write your email like normal
2. Click the Options tab in the message window
3. In the Permission group, click Sign — it’s the envelope with a ribbon icon
4. Enter your PIN when prompted
5. Send

If you need both signing AND encryption on a message, click both the Sign and Encrypt buttons. Note that encrypting requires the recipient to have a DoD email certificate in your contacts — you can’t encrypt to someone whose public key you don’t have.

Troubleshooting the Common Problems

“Certificate Not Found” or Empty Certificate List

• Pull your CAC out and reinsert it firmly — make sure it clicks in
• Close Outlook entirely and reopen it with the CAC already inserted
• Run InstallRoot to make sure your DoD root certificates are current
• Check your CAC expiration — expired card means the certificates are invalid

“Invalid Certificate” When Sending

• Certificate might be expired — check in certmgr.msc under Personal > Certificates
• Your system clock might be wrong. Sounds silly, but certificate validation is time-sensitive. Sync your clock.
• Try clearing Outlook’s cache: close Outlook, go to %localappdata%\Microsoft\Outlook, delete the RoamCache folder, restart Outlook

Recipient Says Your Signature Isn’t Trusted

• That’s a recipient-side problem, not yours. They need DoD root certificates installed on their system.
• External recipients (non-.mil) almost certainly don’t have these certs and will see a warning
• There’s nothing you can do about this — your signature IS valid, their system just can’t verify it

Outlook Asks for PIN on Every Single Email

This is actually normal and intentional. Each digital signature operation requires your PIN to prove you’re physically present at the computer. It can’t be cached for security reasons. I know it’s annoying — just make it part of your workflow. Type the email, hit send, enter PIN. Repeat.

Wrong Email Address on the Certificate

If your certificate shows an old email address that doesn’t match your current one, you need to visit your local RAPIDS office. The email address on your CAC certificate is tied to your DEERS record, and only RAPIDS can update it.

When You Get a New CAC — Read This

This is important, and I’ve seen people lose access to years of encrypted email because they didn’t know this: your new CAC has completely new certificates with different cryptographic keys. That means:

• You need to go back into Trust Center and re-select your certificates — the old settings point to certificates that no longer exist
• Any encrypted emails sent to your OLD certificate CANNOT be read with your new CAC. Before your old card gets destroyed, save or export any encrypted emails you need. This is not recoverable through normal channels.
• Your security office can sometimes help recover old encryption keys, but it’s a pain. Don’t count on it.

When to Sign vs. When to Encrypt

Per GENADMIN 2024-1118: Email containing CUI/PII/PHI that stays within .mil and NSA.GOV domains is considered sufficiently protected by the network itself and doesn’t need additional encryption. This was a policy change that confused a lot of people — you used to have to encrypt everything with PII, but now it’s only required when it leaves the .mil ecosystem.

The 5-Minute Cheat Sheet

If you just want the bare minimum to get signing working, here it is:

1. File > Options > Trust Center > Trust Center Settings > Email Security
2. Click Settings, name it “CAC Signing”
3. Choose your DOD EMAIL certificate for signing (NOT the DOD ID cert)
4. Check “Add digital signature to outgoing messages”
5. Click OK, send a test email, enter your PIN when asked

That’s literally it. Five minutes and you’re done. Once configured, signing is automatic — just enter your PIN when Outlook asks for it.

Last updated: December 2025. Steps may vary slightly between Outlook versions.

About John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.