Air Force Mentor Logo


AFMentor | Bookmark | Search | Mail Page | Comment

Setting up a DOD Common Access Card Reader on the Macintosh OS X Operating System

Step 1 - Flash the Firmware in the USB CAC Reader.

Perform these steps on a Windows XP system with local Administrator authority.

  • Plug the “unflashed” ActivCard USB reader into a USB port.
  • Launch the ActivCard Gold Utilities (in the system tray) and insert a CAC card to make sure the reader functions correctly.
  • Go to Start | Settings | Control Panel | Administrative Tools | Services.
  • Stop the following services:
    • ActivCard Gold AutoRegister
    • ActivCard Gold Service
    • Smart Card Service
  • Extract the contents into a folder. Do the same for the file.
  • From the extracted folder, run fwupdate.exe.
  • On the FwUpdate screen, click OK.
  • Click Browse, select the SCR531_V518.bin file (from the extracted folder) and click Open.
  • Click Next.
  • Verify that the Firmware “New Value” is version 05.18.
  • Click Finish.
  • Click Close.
  • Unplug the USB CAC card reader.
Step 2: Load New CAC Drivers
  • On the Windows PC, go to the extracted SCR33xx_inst_folder and run setup.exe.
  • Step through and complete the Installation Wizard settings.
  • When the software is installed, plug the "flashed" CAC system. It should be recognized as an "SCR33x USB

Step 3: (Optional) Verify New CAC Drivers

  • Click on Start | Programs | SCM Microsystems
  • Select SCR33xx and click Test.
  • Click English and scroll down. The "Result:" should completed successfully".
  • Click Close.
  • Remove the "flashed" USB card reader and label it USB Smart Card Reader Firmware: 05.18

Add the DOD Intermediate CAs to the Keychain (These steps are performed on a Mac with OS X 10.4.3 or better.)

  • Logon to the Mac with your normal user ID.
  • Launch Keychain Access (Go | Utilities | Keychain Access).
  • Select Edit | Keychain List.

Under Show, select: Mac OS X (System).


  • Check "Shared" checkbox for X509Certificates (/System/Library/Keychains)
  • Click OK.
  • Close Keychain Access.

At this point, you should now be able to send signed email. Any application that recognizes the Keychain should work with the CAC reader.

During testing it was noted that most applications require that the CAC card reader be plugged in and a CAC card inserted PRIOR to starting the application for the CAC Reader to work within the application.

Delete old Keychain Certificates and CAC cache (Optional): If your CAC card has changed in any way (new email address, name change, etc) from the time you first used it on a specific system, you may have to clear out the cached CAC credentials and certificates.

Step 1: Remove Cached CAC credentials

  • Open a Terminal Session (Go | Utilities | Terminal)
  • Type: cd /private/var/db/TokenCache and press <Enter>.
  • Type: sudo mv tokens tokens-old and press <Enter>.
  • Type: sudo mkdir tokens and press <Enter>.
  • Type: sudo chmod 711 tokens and press <Enter>.

Note that this will remove ALL CAC card credentials from the system. If you wish to remove just one, you must examine the TokenCache folder and determine which “” needs to be removed.

Step 2: Remove old Certificates

  • Launch Keychain Access (Go | Utilities | Keychain Access)
  • Click on Certificates.

Use Edit | Delete to remove certificates with your name (


  • Close Keychain Access.
Copy new Certificates from CAC to Login Keychain:

You must copy your CAC credentials from the CAC card

  • Insert your USB CAC reader into the system
  • Launch Keychain Access (Go | Utilities | Keychain Access)
  • Click on Show Keychains.
  • Insert your CAC into the reader.
    Note that a new entry appears (smart card #x).
  • Click on the smart card #x keychain.
  • Select the certificates with your name (Last.First.MI.xxxxxxx) Edit | Copy.
  • Click on the login (default) keychain and click on Edit | Paste
  • Close Keychain Access.

Ensure Email address matches what's on the CAC:

In order to send email, the email address embedded within your email address set in the Preferences of the email program. The casesensitive, so if your email address is all CAPS in your CAC, your Preferences should be all CAPS. If there is a mismatch between the email program settings and see the icons for digitally signing/encrypting email in Mac complain of “missing certificates” when trying to send mail.

Next: Setting up Apple Mail

Setting up Mac Mail:

This assumes that you already have setup Mac Mail for normal use.

  • Logon to the Mac with your normal user ID.
  • Plug a flashed USB CAC Card Reader into the USB port and insert your CAC card into the Reader.
  • Start Mac Mail.
  • Click New

If the email address in your CAC card matches the email address in your Preferences | Account, you should see the icons for digitally-signed email appear when sending New email.

Clicking the “starred” checkmark should allow you to select/deselect signed email.

Clicking the “padlock” should allow you to select/deselect encrypted email.

If you can't get the padlock to “shut”, you don't have the public certificates for the person or person(s) you are trying to send to. If you are testing sending signed/encrypted email to yourself, see Copy new Certificates from CAC to Login Keychain on the previous page.


Click here to submit your information.Send me Comments and Suggestions

Place Your Ad Here

Page last modified on: 21 October 2009