New Outlook for Mac Won’t Find Your CAC Certificates — Here’s the Fix

in Mac Tips 11 min read

New Outlook for Mac Won’t Find Your CAC Certificates — Here’s the Fix

New Outlook Mac smart card certificates not found — that error message, or really just the silent failure of Outlook showing you a greyed-out S/MIME button with zero explanation, has cost government employees and contractors hours of lost productivity. I spent the better part of a Tuesday afternoon debugging this on a colleague’s MacBook Pro M2 (the 14-inch, 16GB unified memory model) before I understood what was actually happening. Once I did, the fix was straightforward. Getting there was not. This guide gives you what those unresolved Microsoft Q&A threads never did: an exact diagnosis, three working fixes in order of preference, and the specific terminal commands you need.

Why New Outlook Cannot See Your CAC Certificates

The root cause here is an architectural gap between two different macOS smart card subsystems. Probably should have opened with this section, honestly — because without understanding it, any fix you try is just guessing.

Apple introduced CryptoTokenKit (CTK) in macOS 10.12 Sierra as a modern replacement for the older TokenD framework. TokenD was a plugin-based system where third-party vendors could drop a .tokend bundle into /Library/Security/tokend/ and macOS would use it to communicate with smart card readers. It worked reliably for years. CAC users running Classic Outlook (the 2019 build or the legacy Microsoft 365 version) had functional S/MIME signing and encryption because that older app knew how to reach down into TokenD.

New Outlook for Mac was rebuilt on a different stack. It uses CryptoTokenKit exclusively. CTK is the right long-term choice — it is more secure, better sandboxed, and handles modern PIV cards natively on Sequoia. The problem is that CTK’s native PIV driver and some government-issued CAC configurations do not always negotiate correctly. Specifically, when your Mac’s CTK driver expects a NIST SP 800-73-4 compliant PIV card and your CAC is provisioned with older or non-standard certificate slot mappings, CTK enumerates the card but surfaces the certificates in a way that New Outlook’s certificate picker cannot consume.

There is a second failure mode. Some organizations still deploy the older CACKey or CAC enablement packages that install TokenD bundles. New Outlook’s sandboxed process does not have the entitlements to query those TokenD paths. So the certificates exist in the system — you can see them in Keychain Access under the smart card section — but the New Outlook process returns an empty list when it tries to enumerate signing certificates.

This is not user error. It is a transition-period gap that Apple and Microsoft have not fully resolved as of mid-2025.

Fix 1 — Re-Enable TokenD with OpenSC

This fix works for most users who are not on locked-down managed MDM profiles that block kernel extensions. It involves installing OpenSC, which provides its own CTK-compatible PKCS#11 module, and then confirming your system is configured to expose those certificates to applications like New Outlook.

Step 1 — Install OpenSC

You need OpenSC version 0.19.0 or newer. As of this writing, 0.25.0 is the current stable release and the one I have personally tested on macOS Sequoia 15.3. Download the .pkg installer directly from the OpenSC GitHub releases page. The installer file will be named something like OpenSC-0.25.0.pkg and is roughly 4.2 MB.

Run the installer. Standard next-next-finish. It drops the PKCS#11 library at /Library/OpenSC/lib/opensc-pkcs11.so and the CTK token extension at /Library/Security/tokend/OpenSC.tokend. You do not need to restart yet.

Step 2 — Verify Your Card Is Recognized

Open Terminal and run:

opensc-tool --list-readers

You should see your CAC reader listed. If you see No smart card readers found, the issue is upstream — check that your reader driver is installed and that System Settings → Privacy & Security has not blocked the reader’s kernel extension. Common readers like the SCR3500 and the HID Omnikey 3121 should appear immediately after OpenSC installation.

Then run:

pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so --list-certificates

This command lists every certificate on your CAC. If you see your ID cert, email cert, and CA certificates printed out, OpenSC can read the card. That is good. Now the issue is getting New Outlook to see them.

Step 3 — Register the PKCS#11 Module with the System

Run the following command in Terminal to tell macOS’s security framework where OpenSC’s PKCS#11 module lives:

sudo defaults write /Library/Preferences/com.apple.security.pkcs11 OpenSC /Library/OpenSC/lib/opensc-pkcs11.so

Enter your password when prompted. This writes a preference that the security daemon reads on next login.

Step 4 — Disable CryptoTokenKit’s Native PIV Driver Conflict

This is the step that most guides skip. macOS’s built-in CryptoTokenKit PIV driver and OpenSC’s CTK extension will fight over the same card if you let them. You need to tell the native driver to stand down for your specific card, or disable it globally if you only use CAC cards on this machine.

To disable the native PIV driver system-wide:

sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken

To verify it took effect:

sudo defaults read /Library/Preferences/com.apple.security.smartcard

You should see DisabledTokens = ( "com.apple.CryptoTokenKit.pivtoken" ); in the output.

Step 5 — Restart and Test

Log out completely and log back in. Do not just quit and reopen Outlook — the security daemon needs a fresh session. Insert your CAC, open New Outlook, navigate to a new email, click the three-dot options menu, and look for the Encrypt or Sign options. If they are now active and your certificate name appears, this fix worked.

One mistake I made the first time: I ran the defaults write commands and immediately reopened Outlook without logging out. Spent another twenty minutes convinced the fix had failed. Log out. It matters.

Fix 2 — Export Certificates to Keychain Manually

If you are on a government-managed Mac with an MDM profile that blocks third-party kernel extensions and PKCS#11 overrides, Fix 1 may be blocked at the administrative level. Your IT department may have locked the /Library/Preferences/com.apple.security.smartcard domain. In that case, you can work around the CTK enumeration problem by exporting the public certificates from your CAC into your login keychain directly.

This does not give you full S/MIME signing capability — for signing, the private key has to stay on the card. What it does is fix the specific failure where New Outlook cannot find your certificates at all, which is often enough to make the Sign button appear and functional because the private key operation happens via the card at the moment of signing.

Export from Keychain Access

  1. Insert your CAC and open Keychain Access (Applications → Utilities → Keychain Access, or Spotlight it).
  2. In the left sidebar, look for your smart card listed under the keychain list. It will appear as a separate keychain, usually named with your card’s serial number or your name.
  3. Click that keychain. You will see your certificates listed in the main panel.
  4. Right-click your email signing certificate — this is usually labeled with your full name and the word “Email” or has an envelope icon — and select Export.
  5. Save it as a .cer file (not .p12 — you cannot export the private key and you should not try). Name it something like CAC_EmailCert.cer. Save it to your Desktop.
  6. Repeat for your ID certificate if Outlook asks for it.

Import to Login Keychain

  1. In Keychain Access, select the login keychain from the left sidebar.
  2. Go to File → Import Items and select the .cer file you just saved.
  3. When prompted for a trust level, set it to Always Trust for S/MIME purposes.
  4. Quit and reopen New Outlook with your CAC still inserted.

Frustrated by repeated certificate-not-found errors on a colleague’s CAB-managed MacBook Air running Sequoia 15.2, I used this exact manual export process to get her S/MIME signing working in under ten minutes while we waited for IT to approve the OpenSC deployment package.

Fix 3 — Use Outlook Web App via Safari

This is the fallback that nobody wants to hear but that actually works completely and reliably right now. Safari on macOS has native CryptoTokenKit integration baked into its WebKit layer. It reads CTK-exposed certificates without needing any additional configuration, PKCS#11 modules, or terminal commands.

Open Safari. Navigate to outlook.office.com or your organization’s OWA URL. When the page prompts for authentication, macOS will present the standard certificate picker dialog, which pulls directly from CTK. Select your CAC certificate. Enter your PIN when prompted. You are in.

Configure S/MIME in OWA

Once logged into OWA in Safari, S/MIME signing and encryption require a one-time setup:

  1. Click the gear icon (Settings) in the upper right.
  2. Search for S/MIME in the Settings search box.
  3. Under S/MIME settings, toggle on Sign outgoing messages automatically if required by your organization.
  4. The first time you send a signed email, Safari will prompt you to allow OWA to access your signing certificate. Allow it. This permission persists.

OWA in Safari is not as feature-rich as the desktop client for some workflows, but for secure email — signing, encryption, reading encrypted messages — it is fully functional. If your daily workflow is just email and you do not need the calendar integration or offline access, this is genuinely the cleanest solution until Microsoft resolves the CTK gap in New Outlook.

Chrome and Firefox do not work for this. Both use their own certificate stores and neither connects to macOS CryptoTokenKit in a way that exposes CAC certificates correctly. Safari only.

Which macOS Versions Are Affected

Not every macOS version is equally affected. Here is what I have observed and confirmed through testing across several machines.

macOS 15 Sequoia — Most affected. Apple tightened the CryptoTokenKit sandbox in Sequoia and removed some legacy TokenD fallback paths that had quietly kept things working in earlier versions. Both 15.0 through 15.3 show this problem. OpenSC 0.23.0 and newer work on Sequoia. Do not install OpenSC 0.21.0 on Sequoia — it has a CTK extension compatibility bug that causes the card reader to disconnect intermittently.

macOS 26 Tahoe (developer betas as of this writing) — Also affected. Apple has not introduced any new native PIV certificate surfacing improvements in the Tahoe betas visible so far. OpenSC 0.25.0 runs on Tahoe beta 2 without issues in my testing, though that could change before public release.

macOS 14 Sonoma — Less commonly affected. Some users on Sonoma 14.4 and earlier report New Outlook finding their CAC certificates without any intervention. Others on 14.5 and 14.6 report the same failures as Sequoia. The inconsistency tracks with which version of New Outlook is installed — builds after the November 2024 update changed how New Outlook’s sandboxed certificate enumeration works.

macOS 13 Ventura — Largely unaffected if you are still on the legacy Outlook build. If you have been force-migrated to New Outlook on Ventura, the problem can appear. OpenSC 0.19.0 through 0.25.0 all work correctly on Ventura.

A quick note on OpenSC version compatibility: do not go below 0.19.0 on any current macOS version. Pre-0.19.0 builds use a different CTK extension format that macOS Ventura and later reject at load time. The installer will complete, the module will appear installed, and nothing will work. 0.19.0 was the version that rewrote the CTK bridge. Use 0.23.0 minimum if you are on Sequoia.

The short version — if you are a government Mac user who got migrated to New Outlook against your will and suddenly your CAC stopped working for email signing, you are not doing anything wrong. The infrastructure change is real, it affects thousands of users daily, and the Microsoft support threads offering vague suggestions to “reinstall certificates” are not addressing the actual architectural cause. Fix 1 with OpenSC resolves it on most machines in under fifteen minutes. Fix 2 is your path when IT policy blocks the PKCS#11 approach. Fix 3 gets you working today while you pursue the longer-term fix. Pick the one that matches your situation and get back to work.

David Chen

David Chen

Author & Expert

David Chen is a professional woodworker and furniture maker with over 15 years of experience in fine joinery and custom cabinetry. He trained under master craftsmen in traditional Japanese and European woodworking techniques and operates a small workshop in the Pacific Northwest. David holds certifications from the Furniture Society and regularly teaches woodworking classes at local community colleges. His work has been featured in Fine Woodworking Magazine and Popular Woodworking.

43 Articles
View All Posts

You Might Also Like

Stay in the loop

Get the latest apple mac in government updates delivered to your inbox.