Introduction

Since I last wrote about this, macOS has introduced its own built-in CAC card support. Additionally, many Mac laptops now come with USB-C ports, which changes the best choice for a portable CAC reader.

Our roadmap:

• Choosing a CAC Reader
• Configuring Your CAC Reader
• Installing DoD Root Certificates
• Configuring Your Browser(s)
• Useful Websites

Choosing a CAC Reader

For USB Type A ports on a desktop or hub/dock setup, I use the traditional SCR3310, immediately recognizable to anyone who's used a DoD computer before.

For USB Type C ports directly on a newer Mac, I recommend the Identiv SCR3500C USB Smartfold Type C .

Configuring Your CAC Reader

You can skip this step if you are running Mojave, Catalina, Big Sur, Monterey, or newer.

If you are running macOS Sierra or macOS High Sierra, the built-in CAC reader software is subpar. I recommend you disable it and install another third-party utility instead. Run sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken in the Terminal as an administrative user, and install CACKey.

Installing DoD Root Certificates

Download the AllCerts package to your desktop and unzip it. Open the folder you just unzipped.

Open Keychain Access and navigate to the System keychain. Delete all of the DoD certificates, if there are any.

In your Finder window, select all your certificates and drag them to Keychain Access. Confirm installation of each certificate, and enter your password if/when necessary. Now your computer knows all the DoD certificates needed, but it still doesn't trust all of them yet.

Right-click on each untrusted certificate, and select Get Info to adjust the trust settings accordingly.

When you're done, press ⌘ + Q to exit Keychain Access, then restart your computer again. Your certificates are installed and configured for your system. You should be able to use your CAC reader and CAC card to access DoD and service-specific websites and e-mail.

Configuring Your Browser(s)

Firefox: In the Address Bar, navigate to about:config and promise to be careful. Search for the value security.enterprise_roots.enabled (or create a new boolean key if it doesn't exist) and make sure it's set to true. Do the same for security.osclientcerts.autoload. Then restart Firefox. Note that some DoD sites have been hostile to Firefox users lately; A-PES absolutely will not work, no matter what you do.

Chrome: Should mostly work automatically. However, Chrome does not trust long-lived DoD certificates, even if you tell it to. On some sites it will warn you about the expiration date being too far in the future. If this happens, click on some blank space in the background of the page and type thisisunsafe to confirm that you want to brute-force Chrome into trusting the Government. You will need to do this for A-PES, for example.

Useful Websites

• Marine Online
• Marine Corps Webmail
• DoD SAFE
• MarineNet
• Microsoft Teams
• A-PES