DOD CAC Card on Ubuntu Linux

NOTE:  I’m a retired government employee now with no CAC card.  I believe this blog may be somewhat outdated but I’ll keep it up and any readers should view the comments for updated configuration details.  Many thanks to those of you now minding the store!

So, you are a government employee AND a Linux geek.  Join the club.  It is possible to use your smart card to access DOD CAC Card enabled sites.   A must do project for the Linux geek in you.


I’m doing this with an IOGEAR GSR202 and it will work with a lot of other CAC Card readers as well.  Also I’m using Ubuntu 18.04

First of all the information is taken from this excellent website.  While almost perfect there are a few minor issues that could foul a fella up.  I seek to clarify those here.

First lets download the Certs for your browser.  They also come from the page I have linked above (  Download here.  Hold tight.  We’ll get back to them.

Now we need to install some programs called pcscd and coolkey.  The easiest way to do this and grab dependencies is with Synaptic.  If you don’t have it, install it.

sudo apt-get install synaptic

Now open it as super user once it is installed.

sudo synaptic

In the search field type “pcsc”  Everything that installs with it should have a check mark in it or green if it is already installed. Just for fun I put a check in pcsc tools as well.   Then hit apply to install.

Now do the same for Coolkey.  It will tell you to add the two dependencies listed below it.  Do that and hit apply to install.

Now open Firefox and go to “Preferences > Privacy And Security” and Click “View Certificates”  Click the “Import” button and individually import each of those Certs you downloaded at the beginning of this.  Click both “Trust” boxes before you import for each one.  I’m not sure you have to click both boxes for all of them but it is the safe play.  Have fun.  This will take a while.

Once all the Certs are imported (I know you hated that part) now click on the box in the pic above that says “Security Devices”.  We now need to load the Coolkey module.  Click the “Load” button in the pic below.

Now name your Module DODCAC or something like that and set the path to /usr/lib/pkcs11 and select and then hit okay.

You should now be able to visit CAC Card enabled sites on FIREFOX browser only at this point.

41 thoughts on “DOD CAC Card on Ubuntu Linux

  1. James Grow

    I attempted to import the certificates. However, I received the following error each time:

    “This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.”

    I used both the link you provided and the Military CAC specific link, but neither worked. Any help in getting this resolved would be appreciated.

      1. tko

        After you click on “View Certificates”, click on the “Authorities” tab and then import. The error happens when you try to import from the first “Your certificates” tab.

  2. Harry Pits

    When I go to add coolkey to the security devices I get a warning stating “unable to load module”. Downloaded all the necessary packages, have the latest version of firefox, and the package is in the correct directory. Help please?

    1. TJ

      I had this issue too. I uninstalled all of the packages, mentioned, rebooted, and re-installed everything. I did not install “pcsc-tools” this time around. After reinstalling the packages, firefox accepted the file and loaded the module. Hope this helps!

  3. Ricky Cartner

    Wow, I’ve CAC enabled a few linux machines and followed at least 4 different instructions and this was by far the easiest to follow. MilitaryCAC has great information but as you said, is sometime difficult to follow. Screenshots were a plus along with the used of the Synaptic GUI.

    1. Vovchyk

      Oh, nevermind. I was using my email cert instead of my signing cert. Works now. Great instructions, thanks! This is actually worlds easier than it ever was on my Mac.

  4. MikeD

    Thanks so much for the great walkthrough. Got this going in 2 minutes plus the time to load the certs 🙂
    I really appreciate it and looking forward to reading more on your blog. Seems like we have similar interests.

  5. melonstube

    Site contains CACkey in order to allow Firefox to access teh CAC through the reader (Please remember this link needs to be accessed from an already CAC enabled computer)

  6. Todd Bissell

    FYI: the module in question is now named “/usr/lib/pkcs11/”.

    Great article, thanks for posting this!

  7. S.Yee

    Using ubuntu 16.04. Both Firefox and Chrome are not able to pick up the PIV ID Cert from my CAC , but both browsers can see my other 3 certs, namely the CAC ID, Email Signature, and Email Encryption. Anyone know how to get PIV ID Cert to be select-able from the browser authentication prompt when access certain DoD sites that require the PIV ID Cert instead of the basic CAC ID Cert?

    1. N@t3D0g

      I also do not see the PIV certs in the options to select. Guess we’ll see what happens as my org transitions soon to PIV for sign in. If anyone finds a way to make these visible then I would love to know!

    2. Michael

      Unfortunately CoolKey will not access the PIV certificate. In order to use PIV, you will need to uninstall CoolKey and use either CACkey or OpenSC. Both work for me quite well, but the module you will need to load is no longer “”. On my Ubuntu 19.10 box with OpenSC the module I needed to load is “/usr/lib/x86_64-linux-gnu/pkcs11/”

      1. andrew

        Thank-you so very much for the update! My wife is a V/A behavioral health nurse and trying to wfh as much as possible now w/ covid-19. The card reader was the last piece of the puzzle to have her up and running on our Linux systems.

        1. Pete

          I wanted to echo Andrew’s thanks. Tons of searching and trying; following your steps got me into EE.


      2. Brian

        CAC Reader would not work with CoolKey. Solved problem by using OpenSC (/usr/lib/x86_64-linux-gnu/pkcs11/

        1. Rob

          OpenSC is what I needed to solve my problem as well. Many thanks to the original author and Brian for making this comment.

      3. Mr. Mike

        Confirmed! You need to switch to OpenSC to get Firefox and Chrome to work with the new PIV compliant CAC that DOD issues out now days. I’m using Ubuntu 20.04 LTS and followed Michael’s instructions above. I was able to get to the DOD Office 365 environment and even join a TEAMS call on Chrome.

  8. N@t3D0g

    You sir are amazing. Simple to do and worked flawlessly for Firefox.
    A couple of things worthwhile to have on this page (also on MilitaryCAC’s linux page or Ubuntu’s community page on CAC, but adding in a comment so all in one place):
    1) In terminal run the application pcsc-scan (I think this comes with pcsc-tools) to see the status of your card reader, if it gives you a “Card state:” of any sort you should be good to go, if it keeps searching, you may have an issue with the reader you are using

    $ pcsc-scan

    2) For Chrome/Chromium setup on Ubuntu distro (I’m running elementaryOS 5.1/Ubuntu 18.04 for context), after you complete the steps her for Firefox and get that working:
    a) Install libnss3-tools (if not already installed)

    $ sudo apt-get install libnss3-tools

    b) Close Chrome/Chromium if open (I would just close all web browsers to be safe, based on the warning you get in terminal for the next step)
    c) With CAC inserted into CAC reader, ensure in /home and add “CAC Module” pkcs11 library

    $ cd ~ $ modutil -dbdir sql:.pki/nssdb/ -add “CAC Module” -libfile /usr/lib/pkcs11/

    d) You should get a message saying ‘Module “CAC Module” added to database.’ You can also test if added using the following command:

    $ modutil -dbdir sql:.pki/nssdb/ -list

    Output should have at least 2 entries with first being “NSS Internal PKCS #11 Module” and the second being “CAC Module” where your name should appear in the token (LASTNAME.FIRSTNAME.MIDDLENAME.######; where ###### are first 6 digits of your DOD ID number)

    e) Test out Chrome/Chromium and see if it works!
    I got this working on Chrome and tested in webmail and aim 2.0 with success. The only question I have now is if there is a way to get S/MIME control in Firefox or Chrome/Chromium so I don’t have to figure out how to get Internet Explorer going in linux to send/receive encrypted emails…

  9. Rob S

    I got as far as loading the CoolKey module. After clicking “Security Devices”, I noticed that my “DODCAC” is not listed in the Device Manager window. The reader is a USB SCR 3310 and the drivers are already loaded.
    I didn’t use CACKey. The link appears to be broken.

    Any ideas as what might be wrong?

  10. Michael S

    When using the above method, I get a screen that asks for my “Master Password”. I enter my pin and on the next page I get to select the certificate to use. The problem is the correct certificate is not offered: I have a choice between a CA49 and CA51. I know I need a CA52 but it doesn’t give me the option to select it.

    How can I force it to give me that choice?

  11. Timothy Cook

    During the install of OpenSC and all the packages it depends on I receive the below prompt. Does anyone have helpful steps for this?

    “OpenDNSSEC requires manual configuration before the signer and enforcer daemons can be started.”

    “One of these configuration steps consists of installing and configuring a Hardware Security Module (HSM) that will handle the cryptographic key operations. Most people will want to use the software HSM implementation provided by the recommended softhsm2 package, but other options are possible.”

    “The file /etc/opendnssec/prevent-startup is created during fresh installations and prevents the daemons from being automatically started. You should remove this file and start the daemons once you have configured OpenDNSSEC.”

  12. Walter Johnson

    Made it all the way to the last step and can’t load the it keeps saying, “Unable to add module”
    Anyone have a solution for this. Frustrating to make it to the last step and not get finished.

  13. Wylie Bayes

    I followed your steps an am able to import the cookey module and then see my SCM card reader device. It asks me to login to coolkey which i assume is my pin number. but then i immediately get this message after entering my pin:

    Secure Connection Failed

    An error occurred during a connection to SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

  14. Wylie Bayes

    I get everything working, then i “Login” to coolkey with my PIN of my CAC. It says im logged in. But no matter what i get:

    Secure Connection Failed

    An error occurred during a connection to SSL peer was unable to negotiate an acceptable set of security parameters.


    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

    🙁 🙁

  15. Timothy Ball

    Thank you for this page. This is awesome. I can get into everything except enterprise mail. However, every time I open firefox I get a message to enter my pin with the line “Please enter the password for the PKCS#11 token” What have I don’t wrong?

  16. Anthony Bitner

    So I followed all your steps, everything looked great, but when I go to a site requiring my CAC, right after I imput my pin, firefox crashes? This happened on multiple sites. I’m not sure if it might be a problem with the browser or the certs.

  17. repcomm

    Its 2021 and I needed to use Firefox 84.0.2 on Ubuntu/Gnome 20

    That whole step with installing certs one by one is no longer required:

    What I did:
    1. Moving certs to a convenient location so we don’t have to have full file paths for all of them
    Extracted all cert files to ~/.mozilla/certificates per:

    2. Create or edit /usr/lib/firefox/distribution/policies.json file per:

    Mine looks like this (policies.json):
    “policies”: {
    “Certificates”: {
    “ImportEnterpriseRoots”: true,
    “Install”: [
    “DOD EMAIL CA-33.cer”,
    “DOD ID CA-40.cer”,
    “DOD ID SW CA-47.cer”,
    “DOD EMAIL CA-34.cer”,
    “DOD ID CA-41.cer”,
    “DOD ID SW CA-48.cer”,
    “DOD EMAIL CA-39.cer”,
    “DOD ID CA-42.cer”,
    “DOD ID SW CA-60.cer”,
    “DOD EMAIL CA-40.cer”,
    “DOD ID CA-43.cer”,
    “DOD ID SW CA-61.cer”,
    “DOD EMAIL CA-41.cer”,
    “DOD ID CA-44.cer”,
    “DOD EMAIL CA-42.cer”,
    “DOD ID CA-49.cer”,
    “DOD EMAIL CA-43.cer”,
    “DOD ID CA-50.cer”,
    “DOD EMAIL CA-44.cer”,
    “DOD ID CA-51.cer”,
    “DOD EMAIL CA-49.cer”,
    “DOD ID CA-52.cer”,
    “DOD SW CA-53.cer”,
    “DOD EMAIL CA-50.cer”,
    “DOD ID CA-59.cer”,
    “DOD SW CA-54.cer”,
    “DOD EMAIL CA-51.cer”,
    “DOD ID SW CA-35.cer”,
    “DOD SW CA-55.cer”,
    “DOD EMAIL CA-52.cer”,
    “DOD ID SW CA-36.cer”,
    “DOD SW CA-56.cer”,
    “DOD EMAIL CA-59.cer”,
    “DOD ID SW CA-37.cer”,
    “DOD SW CA-57.cer”,
    “DOD ID CA-33.cer”,
    “DOD ID SW CA-38.cer”,
    “DOD SW CA-58.cer”,
    “DOD ID CA-34.cer”,
    “DOD ID SW CA-45.cer”,
    “DOD ID CA-39.cer”,
    “DOD ID SW CA-46.cer”

    Using only the filenames without their path works because we put them where firefox is looking for them.
    If you’re not using ubuntu, you can see where to put them for your system from this doc:–install

    Substituting this information for importing the certs makes life way easier.
    If you’re reading this in late late 2021, the certs are likely expired, and you’ll need to try and find the new ones. In this case, the cert files and example policies.json will have to be changed too.

    Related links I used to help figure this out:

  18. Oscar

    Can someone help? When I try adding “CAC Module” to pck11 library, I get this error:
    ocr@ocr:/home$ modutil -dbdir sql:.pki/nssdb/ -add “CAC Module” -libfile /usr/lib/pkcs11/
    ERROR: Not expecting argument “Module””.

    What I am I doing wrong, or what am I forgetting?

    1. Pedro Lopez-Fernandez

      The error suggests that the blank in “CAC Module” is the problem. Replacing “CAC Module” with “CAC_Module” should fix the error.

  19. Pedro Lopez-Fernandez

    First, thanks for this great page.

    My contribution should help those using opensc instead of coolkey and those who want to set up Chrome or a Chrome-derivative browser after setting up Firefox.

    I used opensc instead of coolkey in Kubuntu 20.04. I found the instructions at:
    very useful indeed for setting up Firefox.

    In any case, those instructions deal with Firefox. To set up Chrome or a Chrome-based browser, after setting up Firefox I followed the instructions in the comment above by:
    posted December 23, 2019 at 12:13 pm
    and replaced the command:
    $ modutil -dbdir sql:.pki/nssdb/ -add “CAC_Module” -libfile /usr/lib/pkcs11/
    (notice the use of “CAC_Module” in lieu of “CAC Module” in the command)
    with the following:
    $ modutil -dbdir sql:.pki/nssdb/ -add “CAC_Module” -libfile /usr/lib/x86_64-linux-gnu/pkcs11/
    and things worked fine for my Chrome-based browser.

  20. Pingback: www ubuntu smart card login com Portal Detailed Access Account Archives -

  21. Pingback: Getting CAC/PIV logins working on Linux – Free World News

  22. Pingback: configuring a linux machine for cac piv login -

Leave a Reply to Pedro Lopez-Fernandez Cancel reply

Your email address will not be published.