Linux Setup
CAC Setup for Linux
Complete installation guide for major Linux distributions (Ubuntu, Fedora, Debian, etc.).
Requirements
- Modern Linux distribution (Ubuntu 20.04+, Fedora 34+, etc.)
- Root/sudo access for package installation
- USB smart card reader
- Active internet connection
1
Install Required Packages
Install OpenSC and PCSC-Lite for smart card support. Commands vary by distribution.
Ubuntu / Debian
sudo apt update
sudo apt install opensc pcscd pcsc-toolsFedora / RHEL / CentOS
sudo dnf install opensc pcsc-lite pcsc-toolsArch Linux
sudo pacman -S opensc ccid pcsclite2
Start PCSC Service
Enable and start the PC/SC smart card daemon:
sudo systemctl enable pcscd
sudo systemctl start pcscdVerify Service Status:
sudo systemctl status pcscdThe service should show as "active (running)"
3
Connect CAC Reader & Test
Connect your USB smart card reader and verify detection:
pcsc_scanThis command will display detected readers and cards. Press Ctrl+C to exit. You should see your card reader listed and your CAC detected when inserted.
4
Install DoD Certificates
Download and install DoD root certificates:
Manual Certificate Installation
Linux certificate installation varies by distribution. You'll need to manually extract and copy certificates to your system's trust store.
General Steps:
- Download DoD certificates from public.cyber.mil
- Extract certificate files (.cer or .pem format)
- Copy to /usr/local/share/ca-certificates/ (Ubuntu/Debian) or /etc/pki/ca-trust/source/anchors/ (Fedora/RHEL)
- Run update command:
# Ubuntu/Debian
sudo update-ca-certificates
# Fedora/RHEL
sudo update-ca-trust5
Configure Browsers
Chrome / Chromium
Chrome should automatically detect OpenSC. If not, you may need to install the libnss3-tools package and configure the NSS database.
Firefox (Recommended)
Firefox requires manual PKCS#11 module configuration:
- Open Firefox → Settings → Privacy & Security
- Scroll to "Security Devices" and click
- Click "Load"
- Module Name: OpenSC
- Module Path: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so (location may vary)
- Click OK and restart Firefox
Find your opensc-pkcs11.so location with:
find /usr -name opensc-pkcs11.so6
Test Your Setup
- 1. Insert your CAC into the reader
- 2. Open Firefox or Chrome
- 3. Navigate to a CAC-enabled test site
- 4. Select your authentication certificate when prompted
- 5. Enter your PIN
Additional Testing
Test CAC detection from command line:
pkcs11-tool --list-slotsTroubleshooting Tips
- If reader isn't detected, check USB connections and try a different port
- Ensure pcscd service is running:
sudo systemctl status pcscd - Check system logs:
journalctl -u pcscd -f - Some readers require additional drivers from the manufacturer