I was recently able to get my DoD CAC (Common Acccess Card) working on Linux, following a discovery on AKO (Army Knowledge Online) that others had also done so, and had posted their instructions and results. I did not install from Mandriva packages, but from the tarballs as instructed, for better control over the entire process.
Update: This also works on Kubuntu 7.10 (Gutsy Gibbon). Here is a forum link with more info.
Another update, with another forum link: How To: Set up and use a DOD Common Access Card (CAC) for Army Knowledge Online (AKO)
Here is a summary of the steps to take:
- Download the following tarball files and extract them (tar xvfz filename.tar.gz):
- libusb – Project URL:”http://libusb.sourceforge.net/”
- pcsc-lite – Project URL:”http://pcsclite.alioth.debian.org/”
- pcsc-tools – Project URL:”
- ccid – Project URL:”
- CoolKey – Project URL:”
- Make the install directories, along with a critical build-time directory – “mkdir -p /usr/cac/lib/pkgconfig”
- Set the build variable – “declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig” – this is only needed for building, not later using these tools.
- Change to the respective directories and configure/make/make install:
- cd libusb0.1.12 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
- cd pcsclite1.4.0 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
- cd pcsctools1.4.8 && edit “Makefile” – change “DESTDIR” to “/usr/cac” && make && make install, then cd up one directory
- cd ccid1.2.1 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
- cd coolkey-1.1.0 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
- If you have an ActiveCard Gold 2.0 USB device, edit “/usr/cac/pcsc/drivers/ifdccid.bundle/Contents/Info.plist” around line 38 and change “<string>0×0000</string>” to “<string>0×0004</string>”
- Plug in the reader – the green light should come on (I am using an SCM SCR-331 USB smartcard reader).
- Run “/usr/cac/sbin/pcscd” – later, add to /etc/rc.local or use whatever means to ensure it starts at system boot
Now, set up Firefox (I do not use Thunderbird, but similar steps can be taken – instructions can likely be Googled):
- Import the certs into Firefox, one at a time:
- “Encryption” tab
- “View Certificates” button
- “Authorities” tab
- “Import” button.
- Root certs may have to be exported from Explorer first, other certs can be found at “https://crl.chamb.disa.mil/”.
- Insert CAC into reader – the green light should flash.
- Add “CAC Module” to Firefox as a Security Device
- “Encryption” tab
- “Security Devices” button
- “Load” button
- Enter “CAC Module” as the module name, and browse to “/usr/cac/lib/pkcs11/libcoolkeypk11.so” for the module filename.
Now, go to a CAC protected site, like www.us.army.mil, choose to login with the CAC, and enter PIN when prompted for “Master Password”. To ensure access for some sites that require you to choose a certificate, select “Ask me every time” on the Firefox Preferences-Advanced-Encryption page (“When a web site requires a certificate:”).
Be aware – ccid will squawk about your SCR firmware version if it is 4.13 or lower (calls it “bogus”), and instruct you to either upgrade the firmware or get a newer card reader. There is *NO* visible difference between the right and wrong versions of the readers – both say SCR331 on the dataplate on the bottom of the reader. However, I noticed that the part number of the good reader is 904622, while the PN of the unusable reader is 904054.
Lotsa trial and error went into getting these steps worked out, and as soon as I figure out how to upgrade the firmware (it is apparently devilishly hard to do, as the available instructions are sparse and do not work for me), I ‘ll post it as a new article.
Huge credits go to Jerome Brock and Kenneth L. Van Alstyne, Jr. – Mr. Brock wrote this up on AKO, and Mr. Van Alstyne wrote up the original write paper that Mr. Brock found and followed.