What is a CAC card?
The Common Access Card is both a photo ID and a cryptographic smart card. Embedded in the chip are PKI certificates — one for identity/authentication (PIV Auth), one for digital signing, and one for email encryption — issued under the DoD PKI. When you insert the card into a reader, software on your computer reads those certificates and uses the card's private keys to prove who you are without ever exposing the key itself.
Because the private keys never leave the chip, a CAC is far more secure than a username and password. The trade-off is that your computer needs the right reader, drivers, and middleware before any of it works.
Who needs a CAC card?
- Active-duty military across all branches.
- DoD civilian employees.
- Eligible contractors and consultants working on DoD systems.
- Select reservists, National Guard members, and eligible family members for specific services.
Hardware you need: CAC readers
Any USB CCID-compliant smart-card reader that is on the DoD-approved list will work. You don't need an expensive model — reliability matters more than price.
Reader recommendations
- USB desktop readers (e.g. Identiv SCR3310 v2, SCM/HID Omnikey 3021) — the most common and trouble-free.
- Laptop-friendly readers — compact, bus-powered USB models that don't need an external supply.
- Built-in laptop slots — many government laptops have a built-in smart-card slot; for personal machines a USB reader is simplest.
- Avoid unpowered USB hubs — plug the reader directly into the computer to avoid intermittent detection.
Software you need: middleware
Middleware is the bridge between the card and your applications. On modern Windows you may not need separate middleware at all, but the DoD ecosystem still relies on a few well-known options.
Common CAC middleware options
| Middleware | Cost | Best for |
|---|---|---|
| Windows built-in minidriver | Free | Windows 10/11 — often works with no extra install |
| ActivClient | Paid / org-licensed | Enterprise DoD environments, full feature set |
| OpenSC | Free / open-source | Personal machines, macOS and Linux |
| DISA-provided tools | Free | Certificates, InstallRoot DoD trust chain |
Install the DoD root certificates (InstallRoot)
Even with a working reader, sites will throw trust errors until your computer trusts the DoD PKI. The DoD Cyber Exchange publishes the InstallRoot tool, which loads the DoD root and intermediate certificate authorities into your trust store. Run it before troubleshooting browser errors — many "certificate not trusted" problems disappear immediately afterward.
Windows setup walkthrough
Get-Service SCardSvr | Select Name, Status, StartType Get-PnpDevice -Class SmartCardReader
Step-by-step
- Plug the reader into a rear/direct USB port and insert the CAC.
- Open Device Manager → Smart card readers. The reader should appear with no yellow warning. If it shows "Microsoft Usbccid Smartcard Reader (WUDF)", it's working.
- Confirm the Smart Card service is running: open services.msc, find Smart Card (SCardSvr), set Startup type to Automatic and Start it.
- Run InstallRoot to load DoD certificates.
- Open certmgr.msc → Personal → Certificates. Your CAC certificates should be listed once the card is inserted.
Mac setup walkthrough
macOS Big Sur and later include native smart-card (CryptoTokenKit) support, so many CACs work without third-party middleware. If your card isn't recognised, OpenSC fills the gap.
- Insert the CAC. Run security list-smartcards in Terminal — your card should be listed.
- If nothing appears, install OpenSC and re-test.
- Install the DoD certificates using the Mac InstallRoot/Keychain bundle from the DoD Cyber Exchange.
- Use Safari for the smoothest CAC experience on macOS, as it reads the system Keychain directly.
security list-smartcards sc_auth identities
Browser setup (each is different)
Chrome & Edge
On Windows, Chrome and Edge both use the Windows certificate store (CAPI). Once your CAC certificate appears in certmgr.msc and DoD roots are installed, both browsers will prompt you to select your certificate. Fully restart the browser if the prompt doesn't appear.
Firefox
Firefox keeps its own certificate store and won't see your CAC automatically. Go to Settings → Privacy & Security → Security Devices → Load, then point it at the OpenSC PKCS#11 module (opensc-pkcs11.dll on Windows, opensc-pkcs11.so on macOS/Linux).
Accessing CAC-protected websites
With reader, middleware, DoD roots, and browser configured, you can reach the common CAC sites — MilConnect, Army Knowledge Online (AKO), TRICARE, MyPay, and others. When a site loads, you'll be prompted to choose a certificate — pick the PIV Authentication (Identity) certificate, then enter your CAC PIN.
Common errors and solutions
| Error | Likely cause | Fix |
|---|---|---|
| Reader not detected | Service stopped or USB power | Start SCardSvr; use a direct USB port |
| No certificates available | Middleware/DoD roots missing | Run InstallRoot; install OpenSC/ActivClient |
| Certificate not trusted | DoD chain not installed | Run InstallRoot to load DoD CAs |
| PIN locked | Too many wrong attempts | Visit a RAPIDS/ID office to reset |
| Page cannot be displayed | Browser store mismatch | Restart browser; load PKCS#11 in Firefox |
Frequently asked questions
Can civilians use CAC cards?
Only eligible DoD-affiliated personnel are issued a CAC — that includes DoD civilian employees and eligible contractors, not the general public. If you work for or with the DoD, your sponsoring organization issues the card through a RAPIDS office.
Does CAC work on a personal computer?
Yes. With an approved USB reader, the DoD root certificates installed via InstallRoot, and either the built-in Windows minidriver, OpenSC, or ActivClient, a CAC works on a personal Windows or Mac machine. You do not need a government-issued computer for most CAC-protected sites.
Which middleware is best for a CAC card?
On Windows 10/11, try the built-in minidriver first — it often works with nothing extra. If a site still fails, OpenSC (free) is the simplest add-on for personal machines, while ActivClient is the standard in managed DoD environments.
My CAC PIN is locked — what do I do?
A locked CAC PIN cannot be reset remotely. You must visit a RAPIDS/DEERS ID card office to unlock or reset it. Plan ahead, because remote support can't bypass this DoD security control.
Related guides & services
CAC card still not working?
If your reader, middleware, or browser still won't cooperate, get expert help on a screen-shared remote session and we'll get your Common Access Card signing and authenticating again.
Independent consulting engagement — not affiliated with DocuSign, Adobe, Microsoft, or any certificate authority.