CAC Reader Not Working on Linux — Fix It Fast

Linux CAC setup has gotten complicated with all the outdated Windows-centric guides flying around. As someone who spent three genuinely miserable days troubleshooting a CAC reader on Ubuntu 22.04, I learned everything there is to know about this subject. Today, I will share it all with you.

The short version: I was a government contractor, my reader wouldn’t work, and every guide I found assumed I was on Windows. The middleware wouldn’t install. Firefox couldn’t see the card. pcscd was either running or it wasn’t — and nobody explained which one actually mattered. I eventually cracked it. You won’t have to.

Why CAC Readers Fail on Linux

But what is a CAC reader failure, really? In essence, it’s one of three layers breaking down. But it’s much more than that.

Layer one: the USB driver recognizes the physical hardware. Layer two: the pcscd daemon — PCSC Lite — talks to the reader and handles card protocols. Layer three: your browser’s PKCS#11 module connects to pcscd and hands the certificate off to the website. All three have to work. All three have to work together.

Most failures trace back to pcscd not running, a missing opensc package, or a browser that’s never been pointed at the middleware library. Windows handles this automatically. Linux does not. That’s what makes this whole thing so frustrating for DoD employees and contractors who just want to do their jobs.

The hardware itself almost never fails — at least not in my experience. The SCR3310, the Gemalto eToken, the Identiv readers: they all work fine on Linux. The problem is nearly always the daemon or the browser cert configuration. Every single time.

Step 1 — Install and Start the Required Packages

Open a terminal. You’ll need sudo access. The exact commands differ depending on your distro — I’ll cover Ubuntu/Debian and Fedora/RHEL separately.

For Ubuntu or Debian

Run these four commands in order:

sudo apt update
sudo apt install pcscd pcsc-tools opensc libccid
sudo systemctl enable pcscd
sudo systemctl start pcscd

First line refreshes your package list. Second installs the smart card daemon, diagnostic tools, the OpenSC middleware, and the USB reader driver — all in one shot. Third makes pcscd start automatically at boot. Fourth starts it right now, immediately, no reboot required.

For Fedora, RHEL, or CentOS

Use dnf instead:

sudo dnf install pcsc-lite pcsc-lite-libs pcsc-tools opensc opensc-pkcs11 libccid
sudo systemctl enable pcscd
sudo systemctl start pcscd

Fedora splits the daemon and libraries into separate packages. Slightly annoying. Everything else is identical to the Ubuntu process.

Check That pcscd Is Running

Type this:

sudo systemctl status pcscd

You want “active (running)” in green. If you’re seeing “inactive (dead)” or any kind of error, pcscd failed to start — probably a USB permissions issue. Run this:

sudo udevadm control --reload-rules && sudo udevadm trigger

Then try starting pcscd again. Usually fixes it.

Run pcsc_scan to See If Your Reader Is Detected

Insert your CAC into the reader, plug the reader into USB, and run:

pcsc_scan

Within about five seconds, you should see something like this:

Sitting at “Waiting for the first reader…” means the driver isn’t loaded or there’s a USB permission problem. Go back and recheck pcscd status before moving on.

Step 2 — Verify Your CAC is Being Read

Probably should have opened with this section, honestly. It saves hours of debugging in the wrong direction.

Once pcsc_scan shows your reader, press Ctrl+C to stop it. Then run:

opensc-tool -n

This lists every card the system can see. Output should look roughly like:

# Card 0 (X.509 Certificate for Digital Signature) Using reader with a card: Identiv SCR3310 [CCID] 00 00 Card type: DoD CAC (Common Access Card)

“No readers found” here — but pcsc_scan worked fine — points squarely at browser-level configuration. Not hardware. Don’t make my mistake of swapping readers for two days before figuring that out.

Frustrated by a blank response or an error? Try:

opensc-tool -i

This pulls detailed card info. On older SCR3310 readers — anything from 2015 or earlier — you may technically need a firmware update, though DoD stopped requiring that around 2020. Most readers just work as-is.

Step 3 — Configure Your Browser to Use the CAC

This is where Ubuntu and Fedora users diverge from each other and completely depart from anything Windows instructions will tell you. Your browser needs to know exactly where the PKCS#11 module lives on disk.

Firefox on Ubuntu or Debian

The module path is: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Open Firefox. Type about:preferences#privacy in the address bar. Scroll down to “Security.” Click “Security Devices” or “Manage Certificates” — it varies slightly by version. Look for “OpenSC Smartcard Framework” in the left sidebar. Not there? Click “Load” and paste the path above. Close the dialog. Restart Firefox completely — all windows, not just the tab.

Firefox on Fedora or RHEL

The path is different here: /usr/lib64/opensc-pkcs11.so

Everything else is identical. Hit about:preferences#privacy, find Security Devices, load the module using that Fedora path, restart the browser. Done.

Chrome or Chromium on Any Linux Distro

Chrome uses the NSS certificate database — a different approach entirely. You have to add the module at the system level:

modutil -dbdir sql:$HOME/.pki/nssdb -add OpenSC -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

(On Fedora, swap in /usr/lib64/opensc-pkcs11.so instead.)

Close and reopen Chrome. Visit any DoD or government CAC-protected site and you should see a PIN prompt appear. That’s the sign everything is connected properly.

Import DoD Root Certificates

Your browser also needs to trust the DoD certificate authority — otherwise even a working CAC gets rejected. Download the DoD root cert bundle from http://militarycac.com. Mirrors exist, but that’s the official source.

For Ubuntu, run:

sudo cp DoD_Root_CA.crt /usr/local/share/ca-certificates/ && sudo update-ca-certificates

For Fedora, run:

sudo cp DoD_Root_CA.crt /etc/pki/ca-trust/source/anchors/ && sudo update-ca-trust

Firefox users can also import directly via about:preferences#privacy → Certificates → Import.

Still Not Working — Common Errors and Fixes

pcscd Crashes or Won’t Start

Check for port conflicts. Another service might be sitting on the smart card socket already. Run:

sudo lsof -i :35963

Something else listening there? Stop it, uninstall the conflicting package, then restart pcscd. I’m apparently running a fairly clean Ubuntu install and this never bit me — but colleagues on shared dev machines hit it constantly.

No PIN Prompt When You Visit a CAC-Protected Site

Your browser doesn’t see the module. Verify it loaded:

certutil -d sql:$HOME/.pki/nssdb -L

“OpenSC” should appear in that list. Missing? Run the modutil command again from Step 3. It’s there but you’re still getting no prompt? The site might be running an outdated certificate chain. Try a different DoD site — https://militarycac.com works well as a test.

Site Accepts Your Certificate But Returns an Access Denied Error

Your CAC is being read correctly. Your account or role simply isn’t authorized for that resource. That’s not a Linux problem — that’s an IT or permissions problem. Contact your IT department or your commanding officer. The middleware is doing exactly what it should.

Linux CAC access is fully supported across every DoD branch. Four packages, the daemon running, and a browser pointed at the right PKCS#11 library. That’s it. Once you’ve done it once, honestly, you’ll be faster than any Windows user waiting on a driver update that broke their reader — again.