This page explains how to use your Common Access Card (CAC) PKI certificates with Debian. The information below is specific to CACs. See Smartcards for general smart card information with Debian. The intent for this page is to maintain a modern (as of July 2025) and secure solution to using CACs in Debian.
PKCS#11 middleware
1. Install OpenSC for your distribution https://packages.debian.org/bookworm/utils/opensc
1.a. (Optional) verify card reader is detected
$ opensc-tool -l
1.b. (Optional) verify card is being read
$ pkcs11-tool -O
Firefox
2. Add the PKCS#11 module in Firefox.
Go to: Menu > Settings > Privacy & Security > Security Devices (Security section) > Load button.
Device Manager
Module: OpenSC PKCS#11 (the name can be anything)
- Path: /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so
or
- Path: /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
Chrome variants
Automatically configured.
DoD Root Certificates
3. Download the DoD Root Certificates and extract them from the ZIP archive.
https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip
Ex:
wget https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip unzip unclass-certificates_pkcs7_DoD.zip
Expected output:
Archive: unclass-certificates_pkcs7_DoD.zip inflating: Certificates_PKCS7_v5_14_DoD/Certificates_PKCS7_v5_14_DoD.der.p7b inflating: Certificates_PKCS7_v5_14_DoD/Certificates_PKCS7_v5_14_DoD.pem.p7b inflating: Certificates_PKCS7_v5_14_DoD/Certificates_PKCS7_v5_14_DoD.sha256 inflating: Certificates_PKCS7_v5_14_DoD/Certificates_PKCS7_v5_14_DoD_DoD_Root_CA_3.der.p7b inflating: Certificates_PKCS7_v5_14_DoD/Certificates_PKCS7_v5_14_DoD_DoD_Root_CA_4.der.p7b inflating: Certificates_PKCS7_v5_14_DoD/Certificates_PKCS7_v5_14_DoD_DoD_Root_CA_5.der.p7b inflating: Certificates_PKCS7_v5_14_DoD/Certificates_PKCS7_v5_14_DoD_DoD_Root_CA_6.der.p7b inflating: Certificates_PKCS7_v5_14_DoD/DoD_PKE_CA_chain.pem inflating: Certificates_PKCS7_v5_14_DoD/README.txt
3.a. Update system CA certificates
Chrome-variant browsers should use the system's CA certificate store.
sudo cp DoD_PKE_CA_chain.pem /usr/local/share/ca-certificates/DoD_PKE_CA_chain.crt sudo update-ca-certificates
Note: the copy command deliberately renames the .pem to a .crt file.
Expected output:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
3.b. For Firefox, open the Privacy & Security settings and press the View Certificates button.
Go to: Go to: Menu > Settings > Privacy & Security > View Certificates button > Authorities tab > Import button
- Select ~/Downloads/Certificates_PKCS7_v5_14_DoD/DoD_PKE_CA_chain.pem
When asked do you want to trust...
- Trust this CA to identify websites (select, required)
- Trust this CA to identify email users (optional)
Select OK button on the Import dialog and the OK button on the Certificate Manager dialog.
4. Test your DoD PKI login.
Try logging into the CAC only https://cyber.mil website. It may prompt for a certificate several times as it redirects to several pages.
Other PKI enabled sites: