Search MilitaryCAC:

Site Map logo

.com | .us | .ml  | .mobi | .net | .org

The Definitive Source for Everything CAC

Common Access Card help for your
Personal Computer

Also available at:

Please ShareThis website with your friends and colleagues

Make a Donation button image






I have had no problems using the GEMALTO TOP DL GX4 144 & Oberthur ID One 128 v5.5 Dual CACs on Windows 7 & 8 Professional & Windows 7 Ultimate (64bit editions) without ActivClient. 

Windows 7 Home Premium (64bit) version would not read the Oberthur ID One 128 v5.5 Dual CAC until I installed ActivClient with update.

NOTE:  The Windows 8 BASIC edition [shows only as Windows 8] does NOT have this ability (However, I received reports from two people who claim theirs worked).  Click here for more specifics

Your CAC must be a GEMALTO TOP DL GX4 144, GEMALTO DL GX4-A 144, G&D FIPS 201 SCE 3.2, Oberthur ID One 128 v5.5 Dual, or an Oberthur ID One 128 v5.5a D

A guide to help figure out which CAC you have

Gemalto Top DL GX 4 144 CAC image GemaltoDLGX4-A144 image Oberthur ID One 128 v5.5 Dual CAC image  Oberthur 5.5a CAC

G&D FIPS 201 SCE 3.2 image

Which CAC do I have video

Read more about the older CACs and replacing them



(The following information was received originally from the Air Force)

Revisions have been made by Michael Danberry

Download / Save this page as a PDF


Microsoft Windows 7, 8, 8.1, & 10 [except for the Basic versions of 8] include a native capability to read and use the CAC-based PKI certificates without installing middleware such as ActivClient.  The following instructions will help you configure Windows 7 or 8 to use a CAC without ActivClient. These instructions are not applicable if you already have ActivClient installed.  If you want to try this process, you will need to uninstall ActivClient, restart your computer, then follow the instructions below:

NOTE:  If you are a Firefox user, you will have to use Internet Explorer or install ActivClient or OpenSC to be able to access CAC enabled websites.  This is because Firefox needs certain .dll files registered that are not found in Windows natively, but are found in both ActivClient & OpenSC.


NOTE:  These instructions are provided as general guidance for home use only.  If these instructions do not work on your system, visit the ActivClient page to find links to obtain ActivClient.  Windows 7 & 8 requires ActivClient version 6.2.  If you have the Oberthur ID One 128 v5.5 Dual CAC, you'll also need to update ActivClient 6.2 (unless you are using Windows 7 or 8 Professional or Windows 7 Ultimate).

1. Verify that you have a fully PIV-II-compliant CAC.  To determine if your card is compliant, check the card type printed on the back of your CAC (see examples above).  If it shows "GEMALTO TOP DL GX4 144, GEMALTO DL GX4-A 144, G&D FIPS 201 SCE 3.2, or an Oberthur ID One 128 v5.5 Dual" then the CAC is fully PIV-compliant.  All other card types are not PIV-II-compliant [and should have been replaced before 1 October 2012] and cannot be used with Windows 7 & 8 without ActivClient.  To definitively determine if your CAC is PIV-II-compliant, use the following directions (remember, these directions assume you do NOT have ActivClient installed on your computer).

NOTE:  "Some" versions of Windows 7 & 8 do not "cooperate" with the Oberthur ID One 128 v5.5 Dual CAC.  The only fix I've found for this is to install ActivClient 6.2, then update it.  However, Windows 8 Basic does not play nice with ActivClient 6.2 or 7.0.  We are waiting on a 7.0.1 version (which is still in development).

NOTE:   If you are using an SCR-331 CAC reader, please update your firmware before proceeding. 

FIRMWARE UPDATE for image of SCR-331 CAC readerSCR-331 Reader

Video Instructions

PDF Instructions

The firmware update "should" fix the following problems:

A.  Card reader is not recognized

B.  Shows up as "STCII Smart Card Reader"

C.  Shows up as "USB Smart Card Reader" (not necessarily a problem)

D.  Does not read your "Gemalto TOP DL GX4 144" or "Oberthur ID One 128 v5.5 Dual" CAC.

E.  Using your CAC with Windows 7 & 8 without ActivClient

F.  Not working using the guidance on this page


Installation Instructions

 1. Download update file from MilitaryCAC or Identive
 2. Unzip the downloaded file (by Right-clicking and selecting Extract All)
 3. Update the driver present in the "driver" folder (by following guidance on CACDrivers page)
 4. Once driver updated, Run the FWUPDATE.EXE (lightning bolt) in the "app" folder to update the firmware.  Select the default choices.
 5. Close all programs, then restart your computer

    You can also use Trusted End Node Security (TENS) formerly known as LPS (Lightweight Portable Security) bootable CD to update the firmware on this reader

   a. Install a CAC reader on your Windows 7 & 8 computer.  Verify the card reader is properly installed by checking that a reader is listed in the Device Manager under "Smart card readers".  The Device Manager can be accessed by opening the Start menu, right-clicking Computer {which may be listed as a computer name}, and selecting: Properties, then Device Manager

image showing Smart card reader

Insert your CAC into the reader.  Verify the card reader is successfully recognizing the CAC by checking that an "Identity Device" is listed in the Device Manager under "Smart cards" as shown below.  If it is, your CAC may be PIV-II compliant.

image showing Smart Card installed

If your CAC is not PIV-II-compliant, the smart card may or may not show up under "Other devices" as shown below:

image showing CAC under Other devices

     b. Open Internet Explorer (IE).  If you think your CAC is PIV-II compliant, go into IE, select Tools, Internet Options, Content (tab), Certificates (button).  The Personal Tab should open by default.  If your CAC is PIV-II-compliant, you should see 3 certificates issued to you by DoD as shown below:  (Unless you had ActivClient already installed recently, they will show up as well)

image showing 3 certificates on card

Two of these certificates (the ones that have "EMAIL" in the "Issued By" field) are your standard DoD E-mail Signature and Encryption certificates.  The third certificate is your PIV Identity certificate.  This PIV Identity certificate is a different certificate than the DoD Identity certificate you normally see when using ActivClient.  This should not impact your use on your personal computer.  If your CAC is not PIV-II-compliant, no certificates will be listed in the Personal Tab, you will have to install ActivClient 6.2 then update it to use your CAC with Windows 7.  Windows 8 (Basic users) will have to wait for and update to ActivClient 7.0.1 to be released (which is still in development).

2.  Install the DoD Certificates

3.  Add Outlook Web Access / Apps (OWA) address to your Trusted Sites (if you plan on using OWA).  The OWA website may need to be listed as a trusted site in IE 9 (if you have a 64 bit version of Windows).  It is also required for both 32 and 64 bit computers once IE 9 or 10 is installed.  Without adding it, you will not be able to sign or encrypt / decrypt your email.  Open IE 9 or 10 select Tools, Internet Options, Security.  Select the Trusted Sites zone (green checkmark), then click on the Sites (button).  Type the address for your OWA website [Examples can be found on the OWA page] in the box labeled "Add this website to the zone" and click Add.  The site will be added to the list.  Click Close and OK to exit the Internet Options window.

4.  Access web sites and authenticate with your CAC certificates in IE.  You will be prompted to select a certificate and enter your Personal Identification Number (PIN) as shown in the screenshots below.  IMPORTANT:  If you are accessing a web site that is linking back to your network account such as SharePoint or Outlook Web Access / Apps (OWA), you will need to select your E-mail certificate (the one that has "EMAIL" in the Issued By field) in order to authenticate.  The PIV Identity certificate (the one that does NOT have "EMAIL" in the "Issued By" field) will not work with your Active Directory account.  Your PIV Identity certificate can always be used to client authenticate to web sites that are not linking back to your network account.  Those accessing Army Knowledge Online (AKO) will continue to use the non-Email certificate.  Sites like the Air Force Portal and Navy Knowledge Online (NKO) usually use the Email certificate.

Windows 7 view

image showing 2 certificates

Windows 7 image showing PIN entered


Windows 8 view

Windows 8 Certificate Selector

Windows 8 PIN selector

5.  If you are having issues accessing a web site with your CAC, try the following this guide, then, if still unsuccessful, visit the ActivClient page to find links to obtain a copy of ActivClient to install on your computer.

Once in awhile, you may need to do this:  Open IE, select Tools, Internet Options, Content (tab), Certificates (button). The Personal Tab should open by default.  For each of your certificates in the Personal tab, highlight the certificate and click the Advanced (button).  From within the Advanced Options window select the checkbox for Client Authentication then click OK. (Remember, these settings are normally NOT required, but it has helped others).


To change your current CAC PIN [without ActivClient on Windows 7 ONLY], you'll need to know your current PIN and then follow these steps:


1. Insert your CAC in the CAC reader

2. Press <Ctrl> <Alt> <Delete>

3. Select Change password

4. Select Other Credentials

5. Select Smart Card

6. Enter your current PIN, then your new PIN twice

If you have questions or suggestions for this site, contact Michael J. Danberry

Are you interested in subscribing to the CACNews email list?



ACRONYM Reference Page


GoDaddy Site Certified seal


Make a Donation button image


Last Update or Review:  Thursday, 18 May 2017 18:42 hrs


The following domain names all resolve to the same website:,,, &