How to Set Up CAC Readers on Linux

in CAC Readers 4 min read

Linux users can authenticate with their CAC for DoD websites and other PKI-enabled services, though setup requires more manual configuration than Windows. This guide covers the major distributions—Ubuntu, Fedora, and RHEL—with step-by-step instructions for each.

DoD CAC Card

Prerequisites for All Distributions

Before starting, ensure you have:

  • A USB CAC reader (most common models work on Linux)
  • Your CAC card and PIN
  • Administrator (sudo) access to your system
  • Firefox or Chrome browser installed

Ubuntu Setup (20.04 LTS / 22.04 LTS / 24.04 LTS)

Step 1: Install Required Packages

sudo apt update
sudo apt install pcscd pcsc-tools opensc opensc-pkcs11 libpam-pkcs11 libnss3-tools

Step 2: Start and Enable the Smart Card Service

sudo systemctl start pcscd
sudo systemctl enable pcscd

Step 3: Verify Card Detection

Insert your CAC and run:

pcsc_scan

You should see your reader detected and card information displayed. Press Ctrl+C to exit.

Step 4: Install DoD Certificates

wget https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DoD.zip
unzip certificates_pkcs7_DoD.zip
cd certificates_pkcs7_DoD
for cert in *.p7b; do
  openssl pkcs7 -inform DER -in "$cert" -print_certs -out "${cert%.p7b}.pem"
done
sudo cp *.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates

Step 5: Configure Firefox

  1. Open Firefox and go to Settings > Privacy & Security
  2. Scroll to Security Devices and click it
  3. Click “Load”
  4. Module Name: “CAC Module”
  5. Module filename: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
  6. Click OK

Fedora Setup (38 / 39 / 40)

Step 1: Install Required Packages

sudo dnf install pcsc-lite pcsc-tools opensc nss-tools

Step 2: Start the Smart Card Service

sudo systemctl start pcscd
sudo systemctl enable pcscd

Step 3: Verify Card Detection

pcsc_scan

Step 4: Install DoD Certificates

Same process as Ubuntu, but certificate location differs:

sudo cp *.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Step 5: Configure Firefox

Same as Ubuntu, but module path is:

/usr/lib64/opensc-pkcs11.so

RHEL Setup (8 / 9)

Step 1: Enable Required Repositories

sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms

Step 2: Install Packages

sudo dnf install pcsc-lite pcsc-tools opensc nss-tools

Step 3: Start Services

sudo systemctl start pcscd
sudo systemctl enable pcscd

Step 4: Certificate Installation

sudo cp *.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

Step 5: Firefox Configuration

Module path: /usr/lib64/opensc-pkcs11.so

Chrome/Chromium Configuration

Chrome uses the system’s NSS database. Configure it with:

modutil -dbdir sql:$HOME/.pki/nssdb -add "CAC Module" -libfile /usr/lib64/opensc-pkcs11.so

Restart Chrome after adding the module.

Troubleshooting Common Issues

“No Certificates Found”

  • Verify pcscd service is running: systemctl status pcscd
  • Check card detection: opensc-tool -l
  • Verify PKCS#11 module is loaded in browser

“Card Not Detected”

  • Try a different USB port
  • Check lsusb to see if reader appears
  • Restart pcscd: sudo systemctl restart pcscd

“PIN Incorrect” When PIN is Correct

  • Clear browser cache and certificates
  • Remove and reinsert card
  • Restart pcscd service

Additional Tips

  • Use pkcs11-tool --list-slots to verify card communication
  • Firefox ESR tends to be more stable for CAC use than rapid-release Firefox
  • Some sites work better in Chrome than Firefox on Linux
  • Keep opensc and pcsc-lite packages updated
Mike Thompson

Mike Thompson

Author & Expert

Mike Thompson is a former DoD IT specialist with 15 years of experience supporting military networks and CAC authentication systems. He holds CompTIA Security+ and CISSP certifications and now helps service members and government employees solve their CAC reader and certificate problems.

119 Articles
View All Posts

You Might Also Like

Subscribe for Updates

Get the latest articles delivered to your inbox.