Set Up CAC on Ubuntu and Fedora Linux

in Setup Guides 14 min read

Getting a CAC to work on Linux has gotten complicated with all the conflicting guides and half-baked tutorials flying around. As someone who runs Ubuntu as my daily driver and has spent way too many evenings getting smart card authentication to play nice with Firefox on a Linux box — I learned everything there is to know about making DoD CAC work on Ubuntu and Fedora without pulling your hair out. Today, I will share it all with you.

I’ll be straight with you: Linux CAC setup takes more effort than Windows or Mac. There’s no InstallRoot wizard, no ActivClient installer, no hand-holding. But once you get it dialed in, it’s actually really stable — I’d argue more stable than my Windows setup, which periodically decides to forget my certificates for no apparent reason.

Why Bother With Linux for CAC?

Cyber operations

I get this question a lot, usually phrased as “why would you make your life harder?” Fair question. But there are some legit reasons:

  • Development work: A huge chunk of DoD development environments run on Linux. If you’re writing code for a Linux-based system, it makes sense to develop on one too.
  • Security-focused operations: Some cyber ops teams and security analysts prefer Linux because of the control it gives you. You know exactly what’s running and why.
  • Personal preference: I’m just more productive on Linux. I’ve been using it for years and the terminal workflow is second nature. Fighting with an OS I’m less comfortable in would slow me down.
  • Hardware compatibility: Got an older machine that Windows 11 won’t even install on? A lightweight Linux distro can breathe new life into it.

That said, I want to be upfront about the limitations. Some DoD websites flat-out won’t work on Linux — they rely on Windows-specific technology. And your base IT help desk probably won’t support your Linux setup. You’re largely on your own. Know that going in.

Picking the Right Distro

Ubuntu (My Recommendation)

Ubuntu gives you the best balance of user-friendliness and CAC compatibility. Stick with the LTS releases — 22.04 or 24.04 LTS. These get five years of security updates and have the most community documentation for CAC setups. When you inevitably hit a wall, there’s a much better chance someone on a forum has already solved your exact problem on Ubuntu LTS.

Fedora

Fedora is solid too. It tends to have newer packages out of the box, which can be an advantage — newer OpenSC, newer NSS tools. The flip side is it’s more cutting-edge, so you occasionally hit compatibility quirks after updates. Fedora 39 or 40 both work well for CAC.

Red Hat Enterprise Linux (RHEL)

If your organization provides RHEL licenses, honestly this is probably the best choice for DoD work. It’s the enterprise standard, it’s what a lot of government servers actually run, and the setup process is nearly identical to Fedora. If you’ve got access, use it.

Distros I’d Avoid for This

Probably should have led with this section, honestly. Arch Linux, Gentoo, and the other “build it from source” distros will technically work, but you’re adding a mountain of extra complexity. Rolling-release distros can randomly break your CAC setup after an update with zero warning. Stick with stable, mainstream options unless you genuinely enjoy debugging certificate chain issues at 11pm on a Sunday.

Hardware — What Reader to Get

Your CAC reader needs to be CCID-compliant, which thankfully most modern readers are. Here’s what I’ve personally tested and can vouch for on Linux:

  • SCR3310: The classic. Widely compatible, super reliable on Linux. This is what I use at home.
  • Identiv uTrust 3700F: Works great, and there’s a USB-C version if your machine doesn’t have USB-A ports.
  • HID Omnikey 3021: Good compatibility, compact design.

USB-C readers work fine through adapters in my experience. One thing I’d avoid: keyboard-integrated readers. They’re hit-or-miss on Linux. A standalone USB reader is way more reliable and easier to troubleshoot.

Step 1: Install the Software Stack

Ubuntu/Debian

Open a terminal and run these commands. Nothing fancy here — just pulling packages from the default repos:

sudo apt update
sudo apt install pcscd pcsc-tools opensc libengine-pkcs11-openssl libnss3-tools

Fedora/RHEL

sudo dnf install pcsc-lite pcsc-tools opensc nss-tools

Here’s what each package actually does, because I hate installing things without knowing why:

  • pcscd: The PC/SC Smart Card Daemon — this is the background service that talks to your reader. Without it, nothing works.
  • pcsc-tools: Diagnostic utilities. Specifically, pcsc_scan is invaluable for testing whether your reader and card are detected.
  • opensc: The smart card middleware. This is what translates between your CAC’s cryptographic operations and the applications trying to use them.
  • nss-tools: Tools for managing the NSS certificate database. Firefox and Chrome both use NSS, so you’ll need this.

Step 2: Fire Up the Smart Card Service

The pcscd service needs to be running before anything else will work:

sudo systemctl start pcscd
sudo systemctl enable pcscd

The first command starts it right now. The second tells the system to start it automatically on every boot. Don’t skip the enable step — forgetting it means your CAC will mysteriously stop working after the next reboot and you’ll spend twenty minutes figuring out why.

Step 3: Verify Your Reader Works

Plug in your CAC reader, slide your CAC in, and run:

pcsc_scan

You’re looking for output that looks something like this:

PC/SC device scanner
Scanning present readers...
Reader 0: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00
  Card state: Card inserted
  ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80

If you see “Card inserted” and an ATR value (that long hex string), you’re golden. Hit Ctrl+C to exit the scan. If it’s not detecting your reader, don’t move on to the next steps — nothing else will work until this part is sorted.

Reader Not Detected? Try These:

  1. Swap to a different USB port — rear ports on desktops tend to be more reliable than front panel or hub ports
  2. Run lsusb to see if the reader appears at the USB level at all. If it’s not there, it’s a hardware or driver issue.
  3. Restart the service: sudo systemctl restart pcscd
  4. Check kernel messages: dmesg | tail -20 — this might reveal a driver error you can search for

Step 4: Install DoD Root Certificates

That’s what makes the certificate installation endearing to us Linux users — on Windows, InstallRoot does this automatically. On Linux, we do it by hand. But that means we actually understand what’s being installed and where.

Get the Certificates

Download from the official DISA source:

  1. Visit public.cyber.mil/pki-pke/
  2. Grab the “PKI CA Certificate Bundles: PKCS#7” package
  3. Extract the zip

Or grab them from the command line if you prefer (I do):

wget https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip
unzip unclass-certificates_pkcs7_DoD.zip

Import Into Firefox’s Certificate Store

Firefox uses its own NSS database, completely separate from the system store. Here’s how to set it up and import the certs:

# Create the certificate database if it doesn't exist
mkdir -p ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password

# Import each DoD root certificate
# Repeat for each .cer or .crt file in the bundle
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,CT,CT" -n "DoD Root CA 3" -i Certificates_PKCS7_v5.9_DoD/DoD_PKE_PEM/DOD_Root_CA_3.cer

That -t "CT,CT,CT" flag tells NSS to trust this certificate for SSL/TLS, email, and code signing. You’ll need to repeat the import command for each root CA file in the bundle. Yes, it’s repetitive. I usually write a quick bash loop to handle it.

System-Wide Trust for Chrome/Chromium

Chrome pulls from the system trust store on Linux, so you need to install there too:

# Ubuntu/Debian
sudo cp *.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Fedora/RHEL
sudo cp *.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Step 5: Tell Firefox About Your CAC

Firefox needs to know where the OpenSC PKCS#11 module lives so it can talk to your card:

  1. Open Firefox and type about:preferences#privacy in the address bar
  2. Scroll down to “Certificates” and click “Security Devices”
  3. Click “Load” to add a new module
  4. Name it something obvious like “CAC Module”
  5. For the module filename, enter the path to the OpenSC library

The path varies by distro:

  • Ubuntu: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
  • Fedora: /usr/lib64/opensc-pkcs11.so

Click OK and you should be able to see your CAC certificates under “View Certificates” > “Your Certificates” tab. If they show up, Firefox can read your card. If not, double-check the module path and make sure pcscd is running.

Step 6: Set Up Chrome/Chromium

Chrome uses the same NSS database you set up earlier, so the certificate trust is already there. You just need to load the PKCS#11 module:

modutil -dbdir sql:$HOME/.pki/nssdb -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Close and reopen Chrome completely after running this. Not just new tab — close all Chrome windows and start fresh.

Step 7: The Moment of Truth

Time to test it. Try accessing a CAC-required site:

You should get a certificate selection dialog. Pick the authentication certificate — it usually has “DOD ID CA” in the issuer name. Enter your PIN, and if the page loads, congratulations. You’re running CAC on Linux. Welcome to the club.

When Things Go Wrong (And They Might)

“Error: No Matching Certificates”

This almost always means the DoD root certificates aren’t installed correctly in the browser’s certificate store. Go back to Step 4 and make sure every root CA got imported. Also double-check that you imported into the right database — Firefox and Chrome use different stores.

“Smart Card Not Found”

The basics, in order: Is pcscd running? (sudo systemctl status pcscd) Does pcsc_scan see your reader? Is the right PKCS#11 module path configured in your browser? One of those three things is the problem.

PIN Dialog Never Appears

If you can access the site but never get asked for a PIN, the browser isn’t loading the security module. In Firefox, check Privacy & Security > Security Devices. In Chrome, verify the modutil command actually worked. And make sure you started the browser AFTER pcscd was already running.

Site Works in Windows But Not Linux

Some DoD sites use ActiveX controls or other Windows-only technology. These will literally never work on Linux. Common offenders include older DTS interfaces, some MyPay functions, and legacy ATAAPS time and attendance systems. For these, you need a Windows machine or a VM. No way around it.

The Dual-Boot or VM Option

If you need both Linux and guaranteed Windows compatibility — and realistically, most DoD users do — consider dual-booting. Keep a Windows partition for the sites that won’t play nice with Linux, and use Linux for everything else.

You can also pass a USB CAC reader through to a VM using VirtualBox or VMware. It works, but it adds another layer of complexity that can break. I’ve done it successfully, but I wouldn’t call it elegant.

Maintaining Your Setup Over Time

Unlike Windows where ActivClient handles updates, Linux CAC users are responsible for their own maintenance:

  • System updates: Run apt update && apt upgrade or dnf update regularly. Security patches matter.
  • DoD certificates: DISA refreshes the root CA bundle periodically, usually annually. Re-download and reinstall when new ones are issued.
  • OpenSC updates: Keep the middleware current when new versions hit your distro’s repos.

After any major system update, test your CAC setup. It only takes a minute to verify, and finding out your certs broke during a distro upgrade is way better than finding out when you’re trying to submit a travel voucher.

Quick Reference: Ubuntu Setup Commands

# Install packages
sudo apt update
sudo apt install pcscd pcsc-tools opensc libnss3-tools

# Start service
sudo systemctl start pcscd
sudo systemctl enable pcscd

# Test reader
pcsc_scan

# Set up certificate database
mkdir -p ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password

# Add CAC module to Chrome
modutil -dbdir sql:$HOME/.pki/nssdb -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Quick Reference: Fedora Setup Commands

# Install packages
sudo dnf install pcsc-lite pcsc-tools opensc nss-tools

# Start service
sudo systemctl start pcscd
sudo systemctl enable pcscd

# Test reader
pcsc_scan

# Set up certificate database
mkdir -p ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N --empty-password

# Add CAC module to Chrome
modutil -dbdir sql:$HOME/.pki/nssdb -add "CAC Module" -libfile /usr/lib64/opensc-pkcs11.so

Linux CAC setup is more work upfront than Windows or Mac, no question. But once it’s configured, it’s rock-solid. The key is getting the certificate chain and PKCS#11 module set up correctly — everything else flows from there. And honestly, going through this process teaches you more about how CAC authentication actually works than any Windows setup ever will.

Last tested: December 2025 on Ubuntu 24.04 LTS and Fedora 40.

John Bigley

About John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.

Mike Thompson

Mike Thompson

Author & Expert

Mike Thompson is a former DoD IT specialist with 15 years of experience supporting military networks and CAC authentication systems. He holds CompTIA Security+ and CISSP certifications and now helps service members and government employees solve their CAC reader and certificate problems.

72 Articles
View All Posts

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *