macOS Sonoma introduced changes to how smart cards work, and some older CAC setups stopped working after the update. Here’s the current, tested guide for setting up CAC authentication on macOS Sonoma (14.x) that actually works in 2024-2025.

What Changed in Sonoma

Apple made several changes affecting CAC users:

• CryptoTokenKit updates: The framework that handles smart cards was modified
• Keychain Access changes: Certificate handling and trust settings work differently
• Safari improvements: Better native smart card support, but different behavior
• Security updates: Stricter certificate validation

If your CAC worked on Monterey or Ventura but broke after upgrading to Sonoma, you’re not alone.

Hardware Requirements

Recommended Readers for Mac

• Identiv uTrust 3700 F (USB-C): Best for modern MacBooks, no drivers needed
• SCM SCR3310v2 (USB-A with adapter): Reliable, widely used
• HID Omnikey 3021 (USB-A): Good compatibility

USB-C Adapters

If using USB-A readers on newer MacBooks:

• Apple USB-C to USB Adapter works well
• Quality third-party adapters are fine
• Avoid cheap hub/adapters that cause power issues

Step 1: Verify Reader Recognition

1. Connect your CAC reader
2. Insert your CAC
3. Open Terminal (Applications → Utilities → Terminal)
4. Run: system_profiler SPSmartCardsDataType

You should see your reader and card listed. If not:

• Try a different USB port or adapter
• Restart your Mac with the reader connected
• Check System Preferences → Security & Privacy for any blocked extensions

Step 2: Install DoD Certificates

This is the most critical step. Without DoD root certificates, nothing works.

Method 1: Using InstallRoot (Recommended)

1. Download the Mac version of InstallRoot from MilitaryCAC.com/macinstall.htm
2. Run the installer package
3. Follow the prompts
4. Restart your Mac

Method 2: Manual Installation

1. Download DoD certificates from public.cyber.mil/pki-pke/
2. Double-click each certificate to open Keychain Access
3. Add to the “System” keychain
4. For each root CA certificate:
   • Double-click it in Keychain Access
   • Expand “Trust”
   • Set “When using this certificate” to “Always Trust”
   • Enter your Mac password

Step 3: Configure Keychain Trust Settings

Sonoma requires explicit trust configuration:

1. Open Keychain Access (Applications → Utilities)
2. Select “System” keychain in the left sidebar
3. Click “Certificates” category
4. Find DoD Root CA certificates
5. For each one:
   • Double-click to open
   • Expand “Trust” section
   • Set “When using this certificate” to “Always Trust”
   • Close and enter password

Step 4: Safari Configuration

Safari uses Keychain natively and should work automatically:

1. Open Safari
2. Navigate to a CAC-enabled site (milConnect, etc.)
3. Safari should prompt for certificate selection
4. Choose your DoD ID certificate
5. Enter your CAC PIN

If Safari Doesn’t Prompt

• Ensure CAC is inserted before navigating to the site
• Clear Safari’s cache: Safari → Settings → Privacy → Manage Website Data → Remove All
• Restart Safari
• Check Keychain Access for certificate trust issues

Step 5: Chrome Configuration

Chrome on Mac uses the macOS Keychain, so certificates should work if they’re properly trusted:

1. Ensure DoD certificates are trusted in Keychain (Step 3)
2. Open Chrome
3. Navigate to a CAC site
4. Chrome should prompt for certificate selection

If Chrome Doesn’t Work

• Go to chrome://settings/security
• Click “Manage certificates” (opens Keychain Access)
• Verify your CAC certificates appear
• Clear Chrome cache and restart

Step 6: Firefox Configuration

Firefox uses its own certificate store—requires manual setup:

1. Open Firefox
2. Go to Settings → Privacy & Security
3. Scroll to “Certificates” → click “View Certificates”
4. Import DoD root certificates to “Authorities” tab
5. Check “Trust this CA to identify websites”
6. Go back to Privacy & Security
7. Click “Security Devices”
8. Click “Load”
9. Enter module name: “CAC”
10. For module path, enter: /usr/lib/ssh-keychain.dylib

Note: The module path may vary. If that doesn’t work, try:

• /usr/local/lib/opensc-pkcs11.so (if OpenSC is installed)
• /Library/OpenSC/lib/opensc-pkcs11.so

Troubleshooting Sonoma-Specific Issues

“Smart card could not be read”

• Restart your Mac with CAC reader connected
• Try: sudo pkill -9 com.apple.ctkd in Terminal, then retry
• Check System Settings → Privacy & Security for any blocked items

Certificates Don’t Appear in Keychain

• Open Terminal
• Run: security list-smartcards
• If no cards listed, reader isn’t recognized
• Try a different USB port/adapter

“Certificate Not Trusted” After Installing

• Explicitly set trust for each DoD Root CA in Keychain
• Restart your Mac after setting trust
• Try clearing Keychain’s certificate trust cache:
  sudo security delete-certificate -c "DoD Root CA 3" then reinstall

PIN Prompt Never Appears

• Ensure CAC is inserted before opening browser
• Check that CryptoTokenKit is working:
  security list-smartcards
• Restart the smart card service:
  sudo pkill -9 com.apple.ctkd

Known Sonoma Limitations

• Some legacy DoD sites may not work—try a different browser
• Certain Bluetooth CAC readers have reduced compatibility
• Screen sharing/remote desktop CAC passthrough may be limited

Quick Verification Steps

1. Reader detected: system_profiler SPSmartCardsDataType
2. Card readable: security list-smartcards
3. Certificates in Keychain: Open Keychain Access → Personal certificates
4. DoD roots trusted: Keychain Access → System → Certificates → Check DoD Root CAs
5. Test site: Navigate to milConnect in Safari

Alternative: Virtual Machine

If you can’t get native macOS CAC working:

• Run Windows in Parallels or VMware Fusion
• Pass USB CAC reader through to the VM
• Use standard Windows CAC setup

This is a workaround, not a solution, but it works when native support fails.

Summary

For CAC on macOS Sonoma:

1. Use a USB-C reader if possible (fewer adapter issues)
2. Install DoD certificates via InstallRoot for Mac
3. Explicitly trust each DoD Root CA in Keychain Access
4. Use Safari for best compatibility
5. Firefox requires additional security device configuration

Most Sonoma CAC issues come from certificate trust settings or reader detection. Work through the steps methodically and most problems resolve.

Last tested: December 2025 on macOS Sonoma 14.5