CAC Reader Detected but Browser Fails to Trigger PIN Prompt / Cert Selection (Linux Setup) #42
Description
Subject: CAC Reader Detected but Browser Fails to Trigger PIN Prompt / Cert Selection (Linux Setup)
Description:
I am attempting to use my CAC (G+D FIPS 201 SCE 7.0) on a Lubuntu 24.04 system with an HID OMNIKEY AG 3121 USB smartcard reader.
I've successfully configured the system to detect and read the CAC. The following components have been tested and are working:
pcsc_scan confirms card insertion and ATR:
3B F9 18 00 00 00 53 43 45 37 20 03 00 20 46
pkcs15-tool -c shows all 4 X.509 certs (PIV Auth, Digital Sig, Key Mgmt, Card Auth)
Firefox and Chrome have both had the DoD cert chain imported using AllCerts.zip
Both opensc-pkcs11.so and libcoolkeypk11.so modules are loaded in Firefox (via modutil)
The NSS security devices list shows the modules as "loaded" with the correct slot name
However, when visiting CAC-required sites such as:
https://www.dmdc.osd.mil/self_service
https://militarycac.com/cacreadercheck.htm
I am not prompted to select a certificate or enter my PIN. The browser proceeds as if no cert is available.
I've rebooted, replugged the reader, restarted pcscd, and verified permissions on .pki and smartcard devices. I've also installed OpenSC from the ppa:smartcard/opensc repo (v0.25).
I'm requesting help to:
Confirm if any cert mapping, OCSP, or PKI trust anchor configuration is required on the server or client to initiate cert selection
Provide a known working config for HID Omnikey readers and newer CAC cards (G+D SCE 7.0)
Validate whether any specific card reader firmware or middleware (OpenSC, CoolKey) is required in the current DoD environment
If needed, I can provide pcsc_scan logs, pkcs15-tool output, and Firefox modutil device listings.