PuTTY-CAC is a free SSH client for Windows that supports smartcard authentication using the US Department of Defense Common Access Card (DoD CAC) as a PKI token.


2015-09-23: The version Josh published had some bugs that made the CAPI support mostly broken. I believe these are fixed by last-night's patchset. For the moment, binaries for testing this are in ./testing/. These are compiled with VS2015 with debugging turned on, which is why they are so large. I expect to post "Release" versions here, on github, and on software.forge.mil within the next few days.

2015-08-14: Josh Dantzler has updated PuTTY-CAC to be synchronized with PuTTY-0.65. At this time the code for these versions has not been integrated into the GitHub codebase. (I plan to do so eventually...) He has three versions, provided below:

  1. PuTTY-CAC 0.65 with original Pageant
  2. PuTTY-CAC 0.65 with simplified Pageant (Does not include sessions)
  3. PuTTY-CAC 0.65 with simplified Pageant (Includes sessions)

The PuTTY-CAC with the simplified Pageant makes the interface more simplified and easier to use when adding CAPI certs. It removes the ability to add other types of SSH keys. It will only allow you to add CAPI SSH certs/keys.

The PuTTY-CAC with the original Pageant maintains all the features and does not simplify anything. You can add any SSH key and/or CAPI certs/keys.

WARNING: The PKCS11 API originally from PuTTY-SC has been removed from all applications in this PuTTY-CAC Suite due to complications Josh was having with the code. However, CAPI support is still functional which is the main premise behind PuTTY-CAC anyways. If you need to use PKCS11 then DO NOT DOWNLOAD ANY OF THESE VERSIONS. Download an older release of 0.62 which has support for PKCS11. If you do not know what Josh is talking about then this release should be fine for your needs. Also, none of these releases will include the PuTTYtel application.

Josh has included compiled versions of the PuTTY-CAC suite that can be found in the EXECUTABLES folder for each type listed above for those that do not want to compile the code. However, these compiled applications may only work on Windows 7/8. They have not been tested on older OS’s such as Vista/XP or newer OS's such as 10.

2012-09-18: the source code has been moved to github at https://github.com/risacher/putty-cac. This version is synchronized with PuTTY-0.62, and also includes support for Microsoft's Cryprographic API (CAPI). CAPI support should be easier to configure for most users and also allows use of soft-certs. Use of CAPI instead of PKCS#11 is now recommended.



Source is at https://github.com/risacher/putty-cac


PuTTY-CAC is derived from PuTTY and PuTTY SC. (See below for the pedigree.) It should support other smartcards as well, but has not been tested to do so.

PuTTY-CAC was developed by Dan Risacher.

U.S. Department of Defense users can also obtain this software from https://software.forge.mil/sf/projects/community_cac

CAPI configuration

PCKS#11 Configuration

Use the "Pkcs11" panel to configure PuTTY SC for smartcard usage.
Note: these settings are used by the SSH agent as well.

Unfortunately, some PKCS#11 middleware does not work well with this dialog, and the configuration dialog does not work properly. In addition to the "SSH Keystring" box in the user interface, the public key can be exported via the event log of PuTTY (it's written as a base64 encoded string to the event log when connecting to the server). Just copy/paste this string.
It should look like'ssh-rsa AAAAB3NzaC1yc2EAAAA.....ZHkknlDE7jhQ== token-key'.

PKCS#11 Middleware

In my testing, the PKCS#11 library files, Token labels, and Certificate labels corresponding to the PKCS#11 middlewares were: