Linux Setup

CAC Setup for Linux

Complete installation guide for major Linux distributions (Ubuntu, Fedora, Debian, etc.).

Requirements

Modern Linux distribution (Ubuntu 20.04+, Fedora 34+, etc.)
Root/sudo access for package installation
USB smart card reader
Active internet connection

Install Required Packages

Install OpenSC and PCSC-Lite for smart card support. Commands vary by distribution.

Ubuntu / Debian

sudo apt update
sudo apt install opensc pcscd pcsc-tools

Fedora / RHEL / CentOS

sudo dnf install opensc pcsc-lite pcsc-tools

Arch Linux

sudo pacman -S opensc ccid pcsclite

Start PCSC Service

Enable and start the PC/SC smart card daemon:

sudo systemctl enable pcscd
sudo systemctl start pcscd

Verify Service Status:

sudo systemctl status pcscd

The service should show as "active (running)"

Connect CAC Reader & Test

Connect your USB smart card reader and verify detection:

pcsc_scan

This command will display detected readers and cards. Press Ctrl+C to exit. You should see your card reader listed and your CAC detected when inserted.

Install DoD Certificates

Download and install DoD root certificates:

Manual Certificate Installation

Linux certificate installation varies by distribution. You'll need to manually extract and copy certificates to your system's trust store.

General Steps:

Download DoD certificates from public.cyber.mil
Extract certificate files (.cer or .pem format)
Copy to /usr/local/share/ca-certificates/ (Ubuntu/Debian) or /etc/pki/ca-trust/source/anchors/ (Fedora/RHEL)
Run update command:

# Ubuntu/Debian
sudo update-ca-certificates

# Fedora/RHEL
sudo update-ca-trust

Configure Browsers

Chrome / Chromium

Chrome should automatically detect OpenSC. If not, you may need to install the libnss3-tools package and configure the NSS database.

Firefox (Recommended)

Firefox requires manual PKCS#11 module configuration:

Open Firefox → Settings → Privacy & Security
Scroll to "Security Devices" and click
Click "Load"
Module Name: OpenSC
Module Path: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so (location may vary)
Click OK and restart Firefox

Find your opensc-pkcs11.so location with: find /usr -name opensc-pkcs11.so

Test Your Setup

1. Insert your CAC into the reader
2. Open Firefox or Chrome
3. Navigate to a CAC-enabled test site
4. Select your authentication certificate when prompted
5. Enter your PIN

Additional Testing

Test CAC detection from command line: pkcs11-tool --list-slots

Troubleshooting Tips

If reader isn't detected, check USB connections and try a different port
Ensure pcscd service is running: sudo systemctl status pcscd
Check system logs: journalctl -u pcscd -f
Some readers require additional drivers from the manufacturer

Having Issues?View FAQs