Configure Firefox for CAC Certificate Authentication

Firefox handles certificates differently than Chrome or Edge. Instead of using the Windows certificate store, Firefox maintains its own certificate database. This means you need to import DoD certificates directly into Firefox and configure it to recognize your CAC reader—extra steps, but once configured, Firefox often provides the most reliable CAC experience.

Why Firefox Handles CAC Differently

Firefox uses the Network Security Services (NSS) library for certificate management, separate from Windows. Benefits include:

More control over which certificates you trust
Consistent behavior across Windows, Mac, and Linux
Doesn’t break when Windows updates change certificate policies

The tradeoff: more initial setup required.

Step 1: Download DoD Certificates

Get the DoD certificate bundle:

Visit public.cyber.mil/pki-pke/
Download “PKI CA Certificate Bundles: PKCS#7 for DoD”
Extract the zip file to a folder you can find later

Alternatively, use InstallRoot from MilitaryCAC—it includes the option to export certificates for Firefox.

Step 2: Import Root Certificates into Firefox

Open Firefox and navigate to about:preferences#privacy
Scroll down to “Certificates” and click “View Certificates”
Select the “Authorities” tab
Click “Import”
Navigate to your extracted DoD certificates folder
Select each root CA certificate (.cer or .crt files) and import them
When prompted, check “Trust this CA to identify websites”
Repeat for all DoD Root CA certificates (2, 3, 4, 5)

You’ll also need to import intermediate certificates. Look for files named “DOD ID CA-XX” or “DOD EMAIL CA-XX” and import those to the Authorities tab as well.

Step 3: Configure Firefox Security Device

Tell Firefox where to find your CAC middleware:

In Firefox, go to about:preferences#privacy
Scroll to “Certificates” and click “Security Devices”
Click “Load”
Enter a module name like “CAC Reader” or “ActivClient”
For the module filename, enter the path to your PKCS#11 library:

Common PKCS#11 module paths:

ActivClient: C:Program FilesHID GlobalActivClientacpkcs211.dll
OpenSC (if installed): C:Program FilesOpenSC ProjectOpenSCpkcs11opensc-pkcs11.dll
90Meter (Air Force): Check your installation directory

Click OK. If successful, you’ll see your CAC reader listed under Security Devices, and your certificates should appear when you insert your CAC.

Step 4: Verify CAC Certificates

Go back to about:preferences#privacy → “View Certificates”
Click the “Your Certificates” tab
With your CAC inserted, you should see certificates issued to your name
You’ll typically see multiple certificates: ID, EMAIL, and possibly SIGNATURE

If certificates don’t appear:

Try removing and reinserting your CAC
Verify the security module loaded correctly
Restart Firefox with your CAC already inserted

Step 5: Test CAC Login

Navigate to a CAC-enabled site:

Go to milConnect or your service portal
Firefox should prompt “User Identification Request”
Select your DoD ID certificate
Enter your CAC PIN
The site should load

Common Firefox CAC Problems

“SEC_ERROR_UNKNOWN_ISSUER”

Firefox doesn’t trust the site’s certificate chain:

Import missing intermediate certificates
Verify all DoD root CAs are imported in the Authorities tab
Check that imported certificates are marked as trusted for websites

No Certificate Selection Dialog

Security device module not loaded—check about:preferences#privacy → Security Devices
CAC not inserted when Firefox started
Middleware not running (check ActivClient in system tray)
PKCS#11 module path is incorrect

“SSL_ERROR_HANDSHAKE_FAILURE_ALERT”

Usually a certificate chain or timing issue:

Ensure CAC is fully inserted
Check system date/time is accurate
Try clearing Firefox’s cache and restarting

“Card Not Recognized” When Entering PIN

Try a different USB port
Restart the Smart Card service (services.msc)
Check if the reader works with other applications

Firefox Certificate Database Maintenance

Firefox stores certificates in a file called cert9.db in your profile folder. If you experience persistent issues:

Close Firefox completely
Navigate to %APPDATA%MozillaFirefoxProfiles
Find your profile folder (random characters.default-release)
Rename cert9.db to cert9.db.backup
Restart Firefox—it will create a new certificate database
Re-import DoD certificates and reconfigure the security device

This is a “nuclear option” but resolves most persistent certificate issues.

Enable Enterprise Roots (Optional)

Firefox can optionally use Windows’ certificate store in addition to its own. This is helpful on managed computers:

Navigate to about:config
Accept the warning
Search for security.enterprise_roots.enabled
Set it to true

This allows Firefox to trust certificates installed via Windows/Active Directory, reducing the need for manual imports.

Firefox ESR vs Regular Firefox

Some organizations require Firefox ESR (Extended Support Release):

ESR: More stable, fewer updates, longer support cycle—preferred for enterprise
Regular: Latest features, frequent updates

CAC configuration is identical for both. If your IT department provides Firefox ESR, use that version.

Quick Setup Checklist

[ ] Download DoD certificate bundle from cyber.mil
[ ] Import root CAs to Firefox → Authorities tab
[ ] Import intermediate CAs to Firefox → Authorities tab
[ ] Load security device module (PKCS#11 path)
[ ] Verify CAC certificates appear in “Your Certificates”
[ ] Test login on milConnect or similar site

Firefox requires more initial setup than Edge, but once configured correctly, it typically provides stable CAC performance with fewer unexpected issues after browser updates.

Last updated: December 2025

About Jack Ashford

Jack Ashford is a DoD cybersecurity specialist with over 12 years supporting military IT infrastructure. He holds Security+ and CAC certifications and has worked as systems administrator for multiple DoD agencies. Jack specializes in PKI certificate management, CAC troubleshooting, and secure authentication systems, helping military personnel and contractors resolve access issues quickly.