Access CAC enabled websites on iOS

Update 22 Sep 2023:

Confirmed the iPhone 15 Pro with a USB-C Smart Card reader connected directly works without any special connector (you can still use a USB Type A to USB Type C adapter, if your smart card reader requires it).

Native Smart Card Support in iOS/iPadOS

Starting with iOS 16 and iPadOS 16.1, Apple natively supports smart card readers and authentication, signing, and encryption using your Common Access Card (CAC) through the CryptoTokenKit framework. You no longer need to utilize expensive software or hardware devices previously required from third party sites to use CAC-enabled websites on your Apple mobile devices. Now all you need is an On The Go (OTG) adapter (1, 2, 3) to access websites such as webmail, HRC, DTS, IPPS-A, etc.

Setup

First, you will need to download the DoD’s PKI Certificate Authority certificates onto your Apple device. (note: some websites may require additional certificates, which can be downloaded from DISA). Once downloaded, open the dod_pke_chain.pem file within the zip file from your downloads folder. You will install them on your iPhone by clicking it, then navigating to your Settings->Profile Downloaded->Install. Recommend you always verify the certificates are authentic by following the instructions in the README included in the zip file.

Once installed, plugin your adapter, smart card reader, and CAC and navigate to the webpage of your choice. You will be prompted to select your certificate and enter your pin.

Certificate Management

All certificates are accessible in Settings->General->VPN & Device Management->Configuration Profiles while the root certificates are managed in Settings->General->About->Certificate Trust Settings.

I tested this with an iPhone 12 with the USB-3 camera adapter and a generic OTG lightning to USB3.0 adapter from Amazon. However, this should work with any OTG adapter or USB-C smart card reader directly to a USB-C iPad.

Troubleshooting:

This Connection is Not Private

Click Show Details->view the certificate and download the respective certificate from DISA.

For example, IPPS-A uses the DOD SW CA-60 certificate. You can either download the DOD SW CA-60 in DISA’s DoD PKI Management and install it or simply click visit this website.

You may also have to reduce protections if you have any additional privacy & security settings enabled for Safari such as Advanced Tracking and Fingerprinting Protection or Show IP Address if you have iCloud Private Relay turned on. If you are still having issues after installing the certificate, you can try restarting your device, clearing the history and website data, or use private browsing.

Cannot Use Accessory

I did run into some issues with Apple’s Lightning to USB 3 Camera Adapter where the power provided by the adapter was insufficient, but this was solved by plugging in a charger to the lightning port on the adapter.