NOTE:
Procedure for Chrome and Safari Type ⇧⌘U (Shift + Command + U) to access your Utilities Find and Double click 'Keychain Access'. Install DoD Certificates into Keychain Access Here is what my Keychain Accesslooks like before adding the DoD certificate bundles.
Between mid October 2019 and mid February 2020 everyone in the Army was migrated to use their PIV Authentication certificate for Email access. You no longer use the Email certificate for Enterprise Email or any CAC enabled websites
Mac users who choose to upgrade (or already have upgraded) to Mac OS Catalina (10.15.x) will need to uninstall all 3rd Party CAC enablers per https://militarycac.com/macuninstall.htm AND reenable the built in smart card ability (very bottom of macuninstall link above)
If you purchased your Mac with OS Catalina (10.15.x) already installed, you can skip the uninstall part above and follow the instructions below.
6 'high level' steps needed, follow down the page to make this a painless systematic process
| 1. | Is your CAC reader 'Mac friendly'? |
| 2. | Can your Mac 'see' the reader? |
| 3. | Verify which version of Mac OS you have |
| 4. | Figure out which CAC (ID card) you have |
| 5. | Install the DoD certificates |
| 5a. | Additional DoD certificate installation instructions for Firefox users |
| 6. | Decide which CAC enabler you want to use (except for 10.12-.15 & 11) |
Step 1: Is your CAC reader Mac friendly?
Visit the USB Readers page to verify the CAC reader you have is Mac friendly.
Visit the USB-C Readers page to verify the CAC reader you have is Mac friendly.
'Some, not all' CAC readers may need to have a driver installed to make it work.
NOTE: Readers such as: SCR-331 & SCR-3500A may need a firmware update (NO OTHER Readers need firmware updates).
Information about these specific readers are in Step 2
Step 2: Can your Mac 'see' the reader?
Plug the CAC reader into an open USB port before proceeding, give it a few moments to install
Step 2a: Click the Apple Icon in the upper left corner of the desktop, select 'About This Mac'
Step 2b: Click 'System Report...' (button)
Step 2c: Verify the CAC reader shows in Hardware, USB, under USB Device Tree. Different readers will show differently, most readers have no problem in this step. See Step 2c1 for specific reader issues.
Step 2c1: Verify firmware version on your SCR-331 or GSR-202, 202V, 203 CAC, or SCR-3500a reader. If you have a reader other than these 5, Proceed directly to step 3
Step 2c1a-SCR-331 reader
If your reader does not look like this, go to the next step.
In the 'Hardware' drop down, click 'USB.' On the right side of the screen under 'USB Device Tree' the window will display all hardware plugged into the USB ports on your Mac. Look for 'SCRx31 USB Smart Card Reader.' If the Smart Card reader is present, look at 'Version' in the lower right corner of this box: If you have a number below 5.25, you need to update your firmware to 5.25. If you are already at 5.25, your reader is installed on your system, and no further hardware changes are required. You can now Quit System Profiler and continue to Step 3.
Step 2c1b-SCR-3500A reader
If you have the SCR3500A P/N:905430-1 CAC reader,you may need to install this driver, as the one that installs automatically will not work on most Macs. Hold the control key [on your keyboard] when clicking the .pkg file [with your mouse], select [the word] Open
Step 3: Verify which version of MacOS do you have?
(You need to know this information for step 6)
Step 3a: Click the Apple Icon in the upper left corner of your desktop and select 'About This Mac'
Step 3b: Look below Mac OS X for: Example: Version 10.X.X.
Step 4: Figure out which CAC (ID Card) you have
(You need to know this information for step 6)
Look at the top back of your ID card for these card types. If you have any version other than the six shown below, you need to visit an ID card office and have it replaced. All CACs [other than these six] were supposed to be replaced prior to 1 October 2012.
Find out how to flip card over video
Step 5: Install the DoD certificates (for Safari and Chrome Users)
Go to Keychain Access
Click: Go (top of screen), Utilities, double click Keychain Access.app
(You can also type: keychain access using Spotlight (this is my preferred method))
Select login (under Keychains),and All Items (under Category).
Download the 5 files via links below (you may need to click, select Download Linked File As... on each link) Save to your downloads folder
Please know... IF You have any DoD certificates already located in your keychain access, you will need to delete them prior to running the AllCerts.p7b file below.
https://militarycac.com/maccerts/AllCerts.p7b,
https://militarycac.com/maccerts/RootCert2.cer,
https://militarycac.com/maccerts/RootCert3.cer,
https://militarycac.com/maccerts/RootCert4.cer, and
Double click each of the files to install certificates into the login section of keychain
Select the Kind column, verify the arrow is pointing up, scroll down to certificate, look for all of the following certificates:
DOD EMAIL CA-33 through DOD EMAIL CA-34,
DOD EMAIL CA-39 through DOD EMAIL CA-44,
DOD EMAIL CA-49 through DOD EMAIL CA-52,
DOD EMAIL CA-59,
DOD ID CA-33 through DOD ID CA-34,
DOD ID CA-39 through DOD ID CA-44,
DOD ID CA-49 through DOD ID CA-52,
DOD ID CA-59
DOD ID SW CA-35 through DOD ID SW CA-38,
DOD ID SW CA-45 through DOD ID SW CA-48,
DoD Root CA 2 through DoD Root CA 5,
DOD SW CA-53 through DOD SW CA-58, and
DOD SW CA-60 through DOD SW CA-61
NOTE: If you are missing any of the above certificates, you have 2 choices,
1. Delete all of them, and re-run the 5 files above, or
2. Download the allcerts.zip file and install each of the certificates you are missing individually.
Errors:
Error 100001 Solution
Error 100013 Solution
You may notice some of the certificates will have a red circle with a white X . This means your computer does not trust those certificates
You need to manually trust the DoD Root CA 2, 3, 4, & 5 certificates
Double click each of the DoD Root CA certificates, select the triangle next to Trust, in the When using this certificate: select Always Trust, repeat until all 4 do not have the red circle with a white X.
You may be prompted to enter computer password when you close the window
Once you select Always Trust, your icon will have a light blue circle with a white + on it.
The 'bad certs' that have caused problems for Windows users may show up in the keychain access section on some Macs. These need to be deleted / moved to trash.
The DoD Root CA 2 & 3 you are removing has a light blue frame, leave the yellow frame version. The icons may or may not have a red circle with the white x
| or | DoD Interoperability Root CA 1 or CA 2 | certificate | |
| DoD Root CA 2 or 3 (light blue frame ONLY) | certificate | ||
| or | Federal Bridge CA 2016 or 2013 | certificate | |
| or | Federal Common Policy CA | certificate | |
| or | or | SHA-1 Federal Root CA G2 | certificate |
| or | US DoD CCEB Interoperability Root CA 1 | certificate |
If you have tried accessing CAC enabled sites prior to following these instructions, please go through this page before proceeding
Clearing the keychain (opens a new page)
Please come back to this page to continue installation instructions.
Step 5a: DoD certificate installation instructions for Firefox users
NOTE: Firefox will not work on Catalina (10.15.x), or last 4 versions of Mac OS if using the native Apple smartcard ability
Download AllCerts.zip, [remember where you save it].
double click the allcerts.zip file (it'll automatically extract into a new folder)
Option 1 to install the certificates (semi automated):
From inside the AllCerts extracted folder, select all of the certificates
click (or Right click) the selected certificates, select Open With, Other...
In the Enable (selection box), change to All Applications
Select Firefox, then Open
You will see several dozen browser tabs open up, let it open as many as it wants..
You will eventually start seeing either of the 2 messages shown next
If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'
Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers
or
'Alert This certificate is already installed as a certificate authority.' Click OK
Once you've added all of the certificates...
• Click Firefox (word) (upper left of your screen)
• Preferences
• Advanced (tab)
• Press Network under the Advanced Tab
• In the Cached Web Content section, click Clear Now (button).
• Quit Firefox and restart it
Option 2 to install the certificates (very tedious manual):
Click Firefox (word) (upper left of your screen)
Preferences
Advanced (tab on left side of screen)
Certificates (tab)
View Certificates (button)
Authorities (tab)
Import (button)
Browse to the DoD certificates (AllCerts) extracted folder you downloaded and extracted above.
Note: You have to do this step for every single certificate
Note2: If the certificate is already in Firefox, a window will pop up stating: 'Alert This certificate is already installed as a certificate authority (CA).' Click OK
Note3: If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'
Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers
Once you've added all of the certificates...
• Click Firefox (word) (upper left of your screen)
• Preferences
• Advanced (tab)
• Press Network under the Advanced Tab
• In the Cached Web Content section, click Clear Now (button).
• Quit Firefox and restart it
Step 6: Decide which CAC enabler you can / want to use
Only for Mac El Capitan (10.11.x or older)
After installing the CAC enabler, restart the computer and go to a CAC enabled website
NOTE: Mac OS Sierra (10.12.x), High Sierra (10.13.x), Mojave (10.14.x) or Catalina (10.15.x) computers no longer need a CAC Enabler.
Try to access the CAC enabled site you need to access now
Mac support provided by: Michael Danberry
When it comes to installing your new CAC reader onto your home computer, there's a doubt that installing on Mac is much more complicated. Often, you'll need to install a CAC Enabler just for your Mac to recognize the hardware. But don't worry in this handy guide, we'll walk you through how to install a CAC enabler for Mac and which one to choose.
Here's the thing…. Mac has many different OS's which means that there are many different CAC enablers. And some will work for particularly OS's only.
MUST READ IMPORTANT INFO BEFORE YOU BEGIN
Before you get started downloading and installing your CAC Enabler, there is some information that you need to be aware of:
- Only download and install ONE CAC Enabler. Multiple CAC Enablers can cause your CAC Card reader not to work. If you currently have an incorrect CAC enabler installed, you need to uninstall and remove it before getting the correct one. This includes built-in Smart Card Readers for the newer OS's.
- Some of these CAC Enablers will ask for a Keychain Password. You should already have this information. It's your CAC PIN. But before you enter this information, make sure you've already selected your CAC Certificate. And you need to use your full CAC pin. Failure to do so can actually lead to you getting locked out of your CAC Card. If this happens, you'll have to go to your nearest ID Card Office or PSD to get it unblocked.
- After successfully installing your CAC Enabler, you need to restart your computer before trying to access any CAC protected site. This ensures that your computer has properly recognized and installed the CAC Enabler.
- Just because you've properly installed and set up your enabler, that doesn't mean that it will work with all browsers–particularly Firefox. As popular of a browser it is, Firefox is notorious for not allowing CAC-protected sites to be accessed. This is why I recommend using Google Chrome. It has the least obstructions for you when it comes to using your CAC Reader.
What CAC Enabler Do You Need For Your OS?
In order to make sure that you download the right OS, be sure to use our handy Table of Contents to jump to the proper section.
And with that, let's get your Mac system CAC Card ready!
Catalina (10.15.x)
If you've purchased a Mac with the Catalina OS installed, STOP RIGHT HERE.
Catalina comes pre-equipped with a built-in CAC Enabler. This means you do not need to install a third-party program. If you do, it may interfere with your built-in enabler and cause your CAC to not be recognized. Just be sure that you have the proper DOD certificates installed.
But what if you purchased your Mac and then upgraded to the new system?
If you haven't installed any third-party enablers, the built-in function should automatically start working. But if you have previously installed any third-party CAC enablers, you're going to have to uninstall and completely remove those first.
Mojave (10.14.x)
Similar to the Catalina OS, Mojave also has a built-in Smart Card Reader. This means that a third-party CAC enabler program may not be necessary. So before downloading any other enabler, test out the built-in first–just make sure you have the proper DOD certificates needed.
If your Mojave's built-in reader is not working, then you can proceed to pick up another CAC enabler. There are 4 verified readers that work for Mojave that we know of.
Each of these should work for any type of CAC Card.
High Sierra (10.13.x)
High Sierra is another Mac OS with a built-in Smart Card reader. However, unlike Mojave or Catalina, you cannot access CAC-protected sites through Safari. They are not supported through Safari in this OS.
You need to use Google Chrome for optimal results. If you are adamantly opposed to using Chrome, I'd recommend to go ahead and update your Mac OS to Mojave or Catalina (if supported). Afterwards, you should find you don't need a CAC enabler as long as you have the proper certificates.
However, if things aren't working out the way they should, you do have some options for third party CAC enablers.
These have been verified to work with High Sierra and with every CAC Card type we've come across.
Sierra (10.12.x)
Sierra is the last of the Mac OS's that has a built-in Smart Card Reader. However, you need to be aware that this reader will not function with the Safari browser even with the proper certificates.
You'll need to utilize Google Chrome along with the proper DOD (or other) certificates.
There have been reports of the Sierra built-in CAC reader failing to operate properly. And in that case, you're going to need to download one of these verified CAC enablers:
These CAC Enablers work with every type of CAC Card.
One thing to note is that if you decide to utilize PKard with Sierra, you need to make sure that you're using PKard version 1.7 or higher.
El Capitan (10.11.x)
Unlike its newer OS counterparts, El Capitan does not come with a built-in smart card reader. You will be required to download and install a third-party program. Thankfully, there are 5 different CAC Enablers you can use.
One thing to note is that Smart Card Services will not work with all types of CAC Cards. If your CAC Card is designated as Oberthur ID One 128 v5.5a D, Smart Card Services cannot read it. You can find this information on the back of your CAC card itself near the magnetic strip.
This can be solved one of two ways. Either opt for a different enabler or get a new CAC Card.
Yosemite (10.10.x)
Yosemite requires a third-party enabler to be installed in order for your CAC Card to be recognized. There are 5 different verified options for Yosemite users:
Although a verified option, we recommend against using Smart Card Services. The reason for this is that Smart Card Services doesn't accept all types of CAC Cards–particularly those labeled Oberthur ID One 128 v5.5a D.
Mavericks (10.9.x)
Mavericks is another Mac OS without a built-in Smart Card Reader. This means that you're going to need to download a CAC Card Enabler. We've found five different platforms that work with this OS.
However, we suggest steering clear of Smart Card Services if you're carrying the Oberthur ID One 128 v5.5a D CAC Card. This enabler does not recognize this particular type of CAC Card.
Mountain Lion (10.8.x)
Since Mountain Lion OS has no built-in Smart Card Reader, you'll have to avail of a third-party CAC Card Enabler. There are 5 different options to choose from for this platform.
However, if you're using the CAC Card type, Oberthur ID One 128 v5.5a D, steer clear of Smart Card Services. They don't recognize this type of card.
Lion (10.7.x)
Lion is one of Mac's older operating systems. But that doesn't mean you're completely out of luck if need to use a CAC card on it. There are 4 different options you have.
It's worth mentioning that if you are planning on using Smart Cards Services, ensure you don't have an Oberthur ID One 128 v5.5a D CAC Card. The program doesn't work with the typing.
Snow Leopard (10.6.x)
The first recommendation I have for Snow Leopard users is to upgrade their system as soon as possible. But if due to constraints you are unable to, there are still a few paths you can take when it comes to ensuring your CAC Card can be read.
Just don't opt for Smart Card Services if you're using an Oberthur ID One 128 v5.5a D CAC Card.
Leopard (10.5.x)
If you're still using Leopard, our first recommendation is to upgrade your OS immediately. However if you're unable to, there's still hope for using a CAC Card on your computer.
Your available options for CAC Card Enabler are:
However, TENS will only work if your computer has an Intel processor. It won't work if you're using a PPC.
Although a verified option, we recommend against using Smart Card Services. The reason for this is that Smart Card Services doesn't accept all types of CAC Cards–particularly those labeled Oberthur ID One 128 v5.5a D.
Mavericks (10.9.x)
Mavericks is another Mac OS without a built-in Smart Card Reader. This means that you're going to need to download a CAC Card Enabler. We've found five different platforms that work with this OS.
However, we suggest steering clear of Smart Card Services if you're carrying the Oberthur ID One 128 v5.5a D CAC Card. This enabler does not recognize this particular type of CAC Card.
Mountain Lion (10.8.x)
Since Mountain Lion OS has no built-in Smart Card Reader, you'll have to avail of a third-party CAC Card Enabler. There are 5 different options to choose from for this platform.
However, if you're using the CAC Card type, Oberthur ID One 128 v5.5a D, steer clear of Smart Card Services. They don't recognize this type of card.
Lion (10.7.x)
Lion is one of Mac's older operating systems. But that doesn't mean you're completely out of luck if need to use a CAC card on it. There are 4 different options you have.
It's worth mentioning that if you are planning on using Smart Cards Services, ensure you don't have an Oberthur ID One 128 v5.5a D CAC Card. The program doesn't work with the typing.
Snow Leopard (10.6.x)
The first recommendation I have for Snow Leopard users is to upgrade their system as soon as possible. But if due to constraints you are unable to, there are still a few paths you can take when it comes to ensuring your CAC Card can be read.
Just don't opt for Smart Card Services if you're using an Oberthur ID One 128 v5.5a D CAC Card.
Leopard (10.5.x)
If you're still using Leopard, our first recommendation is to upgrade your OS immediately. However if you're unable to, there's still hope for using a CAC Card on your computer.
Your available options for CAC Card Enabler are:
However, TENS will only work if your computer has an Intel processor. It won't work if you're using a PPC.
Again, the first recommendation for Leopard is not downloading a new CAC enabler but updating your system.
Our Top CAC Enabler Picks for All Operating Systems
When it comes to which enablers we like best, it boils down to two.
PKard and ActivClient for Mac.
Army Certs Mac
Either one of these is compatible with just about every OS on this list–with the exception of Catalina (Be sure to use their built-in enabler.)
Dod Certificates For Mac Os X
Plus they have vendor support. And that can be quite handy if you're having issues with your CAC enabler. However, they don't come free. ActivClient for Mac rings in at around $50 while PKard is available for around $40.
