CAC Reader Not Working on Linux How to Fix It

Why CAC Readers Struggle on Linux

CAC setup on Linux has gotten complicated with all the misinformation flying around. Three weeks. That’s how long I spent troubleshooting a CAC reader on my Ubuntu workstation before the actual problem became obvious — it wasn’t the hardware at all. Linux makes you manually assemble the entire middleware stack that Windows quietly handles for you. The Department of Defense built its CAC infrastructure around Windows and macOS. Linux? Apparently doesn’t exist as far as they’re concerned.

But what is the CAC middleware stack, exactly? In essence, it’s a chain of software components that lets your operating system talk to a smart card. But it’s much more than that — it’s the difference between a card reader that does nothing and one that actually authenticates you on government sites. Most Linux distros ship with zero of this out of the box. You need pcscd (the smart card daemon), pcsc-tools for testing, and OpenSC (the PKCS#11 module that actually talks to your card). Skip libccid and your reader won’t even power on. The good news: fixable in roughly twenty minutes. You’ll use a terminal, but nothing exotic. So, without further ado, let’s dive in.

Step 1 — Install the Required Packages

Plug nothing in yet. Install the software stack first. Commands differ between Debian/Ubuntu and Fedora/RHEL systems, so I’ll cover both.

For Debian and Ubuntu

Open a terminal and run:

sudo apt update
sudo apt install pcscd pcsc-tools opensc libccid

Four packages total. libccid is the one that actually matters most — it’s the driver powering USB smart card readers. I skipped it on my first attempt, assuming pcscd would handle everything on its own. It won’t. Don’t make my mistake.

After installation, enable and start the pcscd service:

sudo systemctl enable pcscd
sudo systemctl start pcscd

For Fedora and RHEL

Swap apt for dnf:

sudo dnf install pcscd pcsc-tools opensc libccid

Same systemctl commands follow:

sudo systemctl enable pcscd
sudo systemctl start pcscd

That enable flag is not optional. Without it, pcscd won’t start after a reboot. Your browser will silently fail to detect the reader — no error, just nothing. I learned that after rebooting and spending a solid hour convinced I’d broken the whole setup.

Step 2 — Verify Your Reader Is Detected

Now plug in the reader. Insert your CAC card. Then run:

pcsc_scan

Give it a few seconds. Working output looks something like this:

PC/SC device scanner
V 1.5.2 (c) 2001-2011, Ludovic Rousseau
Scanning present readers...
0: Identiv SCL010 Contactless Reader 00 00

If you see your reader name and an “ATR:” line followed by hex characters, you’re good. That hex string is your card’s answer-to-reset — proof the reader and card are actually communicating. Hit Ctrl+C to exit.

Nothing showing up? First, confirm the reader is physically seated and powered on — some have an indicator light. Then check the hardware level directly:

lsusb | grep -i smart

Or just run lsusb and scan through the full list manually. Watch for vendor names like Identiv, Gemalto, or Reiner SCT. Reader shows up in lsusb but not pcsc_scan? That’s a missing libccid situation. Go back and install it.

Step 3 — Configure Your Browser to Use the CAC

Your browser needs to know where the PKCS#11 module lives. That means configuring the NSS (Network Security Services) database. Both Firefox and Chrome use it — the paths just differ.

For Firefox

Close Firefox. Completely. Don’t minimize it. Check your system monitor if you’re unsure. Then run:

modutil -dbdir sql:$HOME/.mozilla/firefox/[profile].default-release -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Swap [profile] for your actual Firefox profile folder name. Not sure what it is? Check inside ~/.mozilla/firefox/ and find the folder ending in .default-release. If Firefox is still running anywhere in the background, this command fails silently. No error, no warning. Just doesn’t work. That’s apparently by design, and it’s infuriating.

Once done, open Firefox and navigate to Settings → Privacy & Security → Certificates → Security Devices. “OpenSC” should appear as a listed token. Missing? Close Firefox fully and re-run the modutil command.

For Chrome and Chromium

Same approach, different path:

modutil -dbdir sql:$HOME/.pki/nssdb -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Close Chrome first — same rule applies. After restarting, check chrome://settings/certificates to confirm the token appears.

One thing worth knowing: on Fedora and RHEL systems, opensc-pkcs11.so sometimes lives under /usr/lib64/ instead of /usr/lib/x86_64-linux-gnu/. If modutil complains the file doesn’t exist, track it down first:

find /usr -name "opensc-pkcs11.so" 2>/dev/null

Use whatever path comes back in your modutil command. That’s it.

Still Not Working — Common Fixes to Try

Reader Model Isn’t Supported

Not every USB smart card reader plays nicely with OpenSC. Check the supported hardware list at https://github.com/OpenSC/OpenSC/wiki/Supported-hardware. The MUSCLE project maintains a separate list worth checking too. Some older military-issue readers — certain Gemalto models from around 2008 — have genuinely spotty Linux support. If that’s your situation, a reader swap might be the only real fix. The Identiv SCL010 and Gemalto IDBridge CT30 both work reliably. That’s what makes hardware compatibility endearing to us Linux users — it’s never simple.

pcscd Crashes After Reboot

You enabled it. It still doesn’t start. Confirm the service status directly:

sudo systemctl is-enabled pcscd

Says “disabled”? Enable it again. Then pull the full status:

sudo systemctl status pcscd

Scan the output for error messages. Permission errors around /dev/usb are rare on modern distros but do show up on older setups. Adding your user to the pcscd group usually resolves it:

sudo usermod -aG pcscd $USER

Log out and back in after running that. Group membership changes don’t apply until you do.

Certificate Trust Errors in Government Websites

Probably should have opened with this section, honestly. Your browser sees the CAC, asks for a PIN, then throws a certificate error anyway. Almost always means the DoD root CA bundle isn’t installed. Download the CA certificates from militarycac.com and import them into your browser’s certificate store. In Firefox: Preferences → Privacy & Security → Certificates → View Certificates → Authorities. Import the DoD root CA file — usually a .cer format. This step trips people up more than any of the terminal work above.

Still Stuck

Run this and see what OpenSC actually reports:

pkcs11-tool --list-slots

You should see your card and token details. Nothing showing? The module isn’t loading. Re-examine your modutil command and double-check the library path. Card shows up in pkcs11-tool but the browser still refuses to cooperate? That’s an NSS database configuration problem — run the modutil command one more time with your browser fully closed first. Nine times out of ten, that’s all it takes.