USB CAC Reader Setup

USB CAC readers are the standard for most DoD employees and contractors. This guide walks through complete setup from unboxing to first authentication, covering Windows, Mac, and Linux.

Before You Start

Gather these items:

• Your USB CAC reader
• Your CAC (Common Access Card)
• Your CAC PIN
• Administrator access to install software (if needed)

Step 1: Connect the Reader

USB Port Selection

• Preferred: USB ports directly on your computer
• Acceptable: Powered USB hubs
• Avoid: Unpowered USB hubs, keyboard/monitor USB ports

Physical Connection

1. Plug the USB connector firmly into the port
2. Wait 10-30 seconds for detection
3. Look for LED indicator on the reader (usually lights up when powered)
4. Windows will show “Setting up device” notification for new readers

Step 2: Verify Detection

Windows 10/11

1. Right-click the Start button
2. Select “Device Manager”
3. Expand “Smart card readers”
4. Your reader should appear (e.g., “Microsoft Usbccid Smartcard Reader”)

macOS

1. Open System Information (Apple menu > About This Mac > System Report)
2. Select USB in the sidebar
3. Your reader should appear in the USB device list

Linux

lsusb | grep -i smart

Or check with pcsc_scan if pcsc-lite is installed.

Step 3: Install Required Software

Windows: DoD Certificates

1. Download InstallRoot from DISA’s PKI site
2. Run the installer as Administrator
3. Accept all certificates when prompted
4. Restart your browser

Windows: Middleware (Optional)

Windows has built-in smart card support, but ActivClient adds features:

• Download from your organization’s software portal
• Install as Administrator
• Restart when prompted

macOS: Required Software

1. Download the DoD PKE bundle for Mac from DISA
2. Install the PKI certificates
3. Some Macs need additional smart card drivers

Linux: Install Packages

# Ubuntu/Debian
sudo apt install pcscd pcsc-tools opensc

# Fedora/RHEL
sudo dnf install pcsc-lite pcsc-tools opensc

Start the service:

sudo systemctl start pcscd
sudo systemctl enable pcscd

Step 4: Insert Your CAC

1. Hold your CAC with the gold chip facing up (for most readers)
2. Insert slowly until it clicks or seats fully
3. The reader LED typically changes (blinks or changes color)
4. Wait a few seconds for the card to be recognized

Step 5: Configure Your Browser

Chrome and Edge

These browsers use Windows certificate stores automatically. No additional configuration needed after DoD certificate installation.

Firefox

Firefox needs manual configuration:

1. Open Firefox Settings
2. Search for “Security Devices”
3. Click “Security Devices”
4. Click “Load”
5. Name it “CAC Module”
6. Browse to your PKCS#11 module:
   • Windows with ActivClient: C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll
   • Windows without ActivClient: C:\Windows\System32\opensc-pkcs11.dll
   • Linux: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
7. Click OK and restart Firefox

Step 6: Test Authentication

Test Sites

• MilConnect
• OWA Email

What to Expect

1. Navigate to a CAC-enabled site
2. Browser prompts you to select a certificate
3. Choose your certificate (usually the one with your email address)
4. Enter your PIN when prompted
5. Site loads after successful authentication

Troubleshooting Quick Fixes

No Certificate Prompt

• Remove and reinsert the card
• Restart the browser
• Check Device Manager for reader detection

Wrong Certificate or PIN Error

• Clear browser cache and cookies
• Close all browser windows and reopen
• Verify you’re selecting the correct certificate

Reader LED Not Lighting

• Try a different USB port
• Test with a different computer if available
• The reader may be defective

Daily Usage Tips

• Insert card before opening browser for smoothest experience
• Remove card when stepping away (security best practice)
• Don’t force bent or damaged cards into the reader
• Keep your PIN private—never share or write it down