PuTTY-CAC is an open-source SSH client for Windows that supports smartcard authentication, particularly using the US Department of Defense Common Access Card (DoD CAC) as a PKI token.


2015-12-29: PuTTY-CAC has been updated to sync with PuTTY 0.66. The updated version is available at https://github.com/risacher/putty-cac/tree/0.66-sync

2015-09-23: The version Josh published had some bugs that made the CAPI support mostly broken. I believe these are fixed by the 2015-09-23 patchset.

2015-08-14: Josh Dantzler has updated PuTTY-CAC to be synchronized with PuTTY-0.65. [UPDATE: Because these versions had errors that made the CAPI support not work, they were basically useless to an end user and the download links have been removed.]

WARNING: The PKCS11 API originally from PuTTY-SC has been removed from all applications in this PuTTY-CAC Suite due to complications Josh was having with the code. However, CAPI support is still functional. If you need to use PKCS11, then DO NOT DOWNLOAD ANY OF THESE VERSIONS. Instead, download an older release of 0.62 which has support for PKCS11. If you need PKCS11 support, please file an issue at the github repository.

2012-09-18: the source code has been moved to github at https://github.com/risacher/putty-cac. This version is synchronized with PuTTY-0.62, and also includes support for Microsoft's Cryprographic API (CAPI). CAPI support should be easier to configure for most users and also allows use of soft-certs. Use of CAPI instead of PKCS#11 is now recommended.



Source is at https://github.com/risacher/putty-cac


PuTTY-CAC is derived from PuTTY and PuTTY SC. (See below for the pedigree.) It should support other smartcards as well, but has not been tested to do so.

PuTTY-CAC was developed by Dan Risacher.

U.S. Department of Defense users can also obtain this software from https://software.forge.mil/sf/projects/community_cac Note that the version on forge.mil is temporarily out-of-date, as of 2015-12-29.

CAPI configuration

PCKS#11 Configuration

Use the "Pkcs11" panel to configure PuTTY SC for smartcard usage.
Note: these settings are used by the SSH agent as well.

Unfortunately, some PKCS#11 middleware does not work well with this dialog, and the configuration dialog does not work properly. In addition to the "SSH Keystring" box in the user interface, the public key can be exported via the event log of PuTTY (it's written as a base64 encoded string to the event log when connecting to the server). Just copy/paste this string.
It should look like'ssh-rsa AAAAB3NzaC1yc2EAAAA.....ZHkknlDE7jhQ== token-key'.

PKCS#11 Middleware

In my testing, the PKCS#11 library files, Token labels, and Certificate labels corresponding to the PKCS#11 middlewares were: