Digital security lock and protection concept
Posted in Troubleshooting & Support

Browser Says Your CAC is Untrusted? Here’s the Real Fix

Robert Chen

Fix: CAC Certificate Shows as Untrusted in All Browsers

Seeing “certificate untrusted” errors across all browsers when accessing DoD websites with your CAC is one of the most frustrating issues military personnel and DoD civilians face. Unlike browser-specific certificate errors, untrusted certificate warnings appearing in Chrome, Firefox, Edge, and Safari simultaneously indicate a root certificate problem – your computer doesn’t trust the DoD certificate authorities that issued your CAC certificates.

This comprehensive guide explains why CAC certificates show as untrusted, how to fix the root certificate trust chain using InstallRoot, troubleshooting when InstallRoot doesn’t resolve the issue, and preventing future untrusted certificate errors.

Understanding “Certificate Untrusted” Errors

What “Untrusted” Means

When your browser shows “certificate untrusted,” it means:

  • Your CAC has valid certificates
  • Your CAC reader is working properly
  • Your computer can read the CAC certificates
  • BUT: Your computer doesn’t trust the certificate authority (CA) that issued those certificates

Analogy: It’s like having a driver’s license from a state your employer doesn’t recognize as valid – the license itself is real, but not trusted.

Certificate Trust Chains

Digital certificates use hierarchical trust:

  1. Root CA: DoD Root CA 3, 4, 5 (top of trust chain)
  2. Intermediate CA: DoD ID CA, DoD Email CA (middle of chain)
  3. End-entity certificate: Your personal CAC certificate (bottom of chain)

Your computer must trust the root CA to trust certificates issued by intermediate CAs, which in turn validates your personal CAC certificate.

If root CA is missing or not trusted: Entire chain fails, all CAC certificates show as untrusted.

Common “Untrusted” Error Messages

  • Chrome: “NET::ERR_CERT_AUTHORITY_INVALID” – Your connection is not private
  • Firefox: “SEC_ERROR_UNKNOWN_ISSUER” – The certificate is not trusted because the issuer certificate is unknown
  • Edge: “DLG_FLAGS_SEC_CERT_CN_INVALID” – This site is not secure
  • Safari: “This Connection Is Not Private” – Safari can’t verify the identity of the website
  • Outlook: “Certificate is not trusted” – Cannot establish secure connection

Key indicator this is a root certificate issue: Error appears across all browsers and applications, not just one.

Why DoD Root Certificates Go Missing

Common Causes

  • Fresh Windows install: New computers don’t include DoD root certificates
  • Windows reinstall/reset: Wipes all DoD certificates
  • Certificate expiration: Old root certificates expire periodically
  • Certificate policy updates: DoD migrates to new certificate authorities
  • Corrupted certificate store: Windows updates or crashes can corrupt store
  • Group Policy override: Enterprise policies may have removed certificates
  • Antivirus interference: Some security software strips certificates

How to Verify Root Certificates Are Missing

Windows Verification:

  1. Press Windows + R
  2. Type: certmgr.msc
  3. Press Enter
  4. Expand Trusted Root Certification AuthoritiesCertificates
  5. Look for these DoD root certificates:
    • DoD Root CA 3
    • DoD Root CA 4
    • DoD Root CA 5
    • DoD Root CA 6 (newer systems)

If you see 0-2 DoD certificates: Root certificates are missing or incomplete.

If you see 10-15+ DoD certificates: Roots are installed, problem may be different (proceed to troubleshooting section).

Mac Verification:

  1. Open Keychain Access (Applications → Utilities)
  2. Select System keychain in left sidebar
  3. Click Certificates category
  4. Search for “DoD”
  5. Should see multiple DoD Root CA certificates

Fix #1: Install DoD Root Certificates with InstallRoot

InstallRoot is the official DoD tool that installs all required root and intermediate certificates.

Step 1: Download InstallRoot

  1. Navigate to: https://public.cyber.mil/pki-pke/tools-configuration-files/
  2. Scroll to “PKI Tools” section
  3. Click InstallRoot 5.x (current version as of 2025)
  4. Download the appropriate installer:
    • Windows: InstallRoot_5.x_Win.msi or .exe
    • Mac: DoD PKE on Mac OS package
  5. Save to Downloads folder

Step 2: Run InstallRoot as Administrator (Windows)

Critical: Must run as Administrator or installation will fail silently.

  1. Navigate to Downloads folder
  2. Right-click InstallRoot installer
  3. Select “Run as Administrator” (not just double-click)
  4. Click “Yes” on User Account Control prompt

Step 3: Complete Installation Wizard

  1. InstallRoot welcome screen appears
  2. Click “Next”
  3. Accept license agreement
  4. Keep default installation location
  5. Click “Install”
  6. Installation progress bar shows certificate installation (2-5 minutes)
  7. You may see multiple Windows certificate prompts – click “Yes” to each
  8. Completes with “Installation Successful” message
  9. Click “Finish”

Step 4: Restart Computer

Required: Certificates don’t take effect until restart.

  1. Save all work
  2. Close all applications
  3. Restart computer (not just sign out/sign in)

Step 5: Verify Certificate Installation

After restart:

  1. Press Windows + R
  2. Type: certmgr.msc
  3. Expand Trusted Root Certification AuthoritiesCertificates
  4. Should now see 10-15 DoD certificates including:
    • DoD Root CA 3, 4, 5, 6
    • DoD Interoperability Root CA 1, 2
    • Various ECA (External Certification Authority) roots

If certificates present: Proceed to Step 6 to test.

If still missing: See troubleshooting section below.

Step 6: Test CAC Certificate Trust

  1. Insert CAC into reader
  2. Open browser (Chrome, Edge, Firefox)
  3. Navigate to: https://webmail.apps.mil
  4. Browser should prompt for certificate selection (no warning)
  5. Select your CAC certificate
  6. Enter PIN
  7. Should successfully log in with no certificate warnings

Success indicators:

  • ✓ No “untrusted” warnings
  • ✓ Green padlock appears in address bar
  • ✓ Certificate selection dialog appears normally
  • ✓ Website loads after PIN entry

Mac: Install DoD Certificates in macOS Keychain

Method 1: DoD PKE Mac Package (Easiest)

  1. Download “DoD PKE on Mac OS” from public.cyber.mil
  2. Open downloaded .pkg file
  3. Follow installation prompts
  4. Authenticate with Mac password when prompted
  5. Restart Mac after installation

Method 2: Manual Certificate Import

  1. Download DoD certificate bundle (.zip file) from public.cyber.mil
  2. Extract certificates
  3. Open Keychain Access (Applications → Utilities)
  4. Select System keychain in left sidebar
  5. Menu: File → Import Items
  6. Select all extracted DoD certificate files
  7. For each imported certificate:
    • Double-click certificate
    • Expand “Trust” section
    • Set “When using this certificate” to “Always Trust”
    • Close and authenticate with password
  8. Restart Mac

Troubleshooting: InstallRoot Didn’t Fix the Problem

Problem: Still Getting “Untrusted” Errors After InstallRoot

Solution 1: Verify Administrator Rights

InstallRoot fails silently without admin rights.

  1. Check if you have administrator account (Settings → Accounts)
  2. If you don’t have admin rights, contact IT help desk
  3. On work computer, may need IT to run InstallRoot with admin credentials

Solution 2: Manually Verify Certificate Trust Settings

Certificates may be installed but not trusted.

  1. Open certmgr.msc
  2. Expand Trusted Root Certification AuthoritiesCertificates
  3. Find DoD Root CA 3
  4. Double-click to open
  5. Check General tab – should say “This certificate is intended for: All issuance policies”
  6. Check Certification Path tab – should show “This certificate is OK”
  7. If shows error, certificate may be corrupted – proceed to reinstall

Solution 3: Clear Certificate Cache and Reinstall

  1. Uninstall InstallRoot:
    • Control Panel → Programs and Features
    • Find “InstallRoot” or “DoD PKI”
    • Right-click → Uninstall
  2. Manually remove DoD certificates:
    • Open certmgr.msc
    • Trusted Root Certification Authorities → Certificates
    • Delete all DoD certificates (right-click → Delete)
    • Close certificate manager
  3. Clear SSL state:
    • Control Panel → Internet Options
    • Content tab → Clear SSL State
    • Click OK
  4. Restart computer
  5. Reinstall InstallRoot as Administrator
  6. Restart again

Solution 4: Check for Certificate Expiration

Old DoD root certificates expire periodically.

  1. Open certmgr.msc
  2. Check each DoD root certificate
  3. Look at “Expiration Date” column
  4. If any show expiration date in the past:
    • Delete expired certificates
    • Reinstall InstallRoot (installs current versions)

Solution 5: Disable Antivirus Temporarily

Some antivirus programs interfere with certificate installation.

  1. Temporarily disable antivirus (Windows Defender, Norton, McAfee, etc.)
  2. Uninstall existing InstallRoot
  3. Run InstallRoot installer as Administrator
  4. Restart computer
  5. Re-enable antivirus
  6. Test certificate trust

Problem: Government Computer Won’t Allow InstallRoot

Cause: Group Policy restrictions prevent certificate installation.

Solution:

  1. Contact IT Help Desk – they have administrative tools to install certificates
  2. Provide specific error message you’re receiving
  3. They can push certificates via Group Policy or remote installation
  4. Do not attempt to bypass security policies

Problem: Certificates Install But Specific Website Still Shows Untrusted

Cause: Website using outdated/revoked certificate, not your CAC.

Solution:

  1. Test other CAC-enabled sites (webmail.apps.mil, militarycac.com)
  2. If other sites work, problem is with specific website
  3. Report website certificate issue to website administrator
  4. Try accessing site on different computer to verify

Fix #2: Browser-Specific Trust Settings

If InstallRoot installed certificates but browser still shows untrusted, may need browser-specific configuration.

Firefox: Manually Trust Root Certificates

Firefox uses its own certificate store, separate from Windows.

  1. Firefox Settings → Privacy & Security
  2. Scroll to “Certificates”
  3. Click “View Certificates”
  4. Click “Authorities” tab
  5. Click “Import”
  6. Navigate to DoD certificate bundle (from public.cyber.mil download)
  7. Select all DoD root certificates
  8. Check all trust boxes:
    • ☑ Trust this CA to identify websites
    • ☑ Trust this CA to identify email users
    • ☑ Trust this CA to identify software developers
  9. Click OK
  10. Restart Firefox

Chrome/Edge: Verify Using Windows Certificate Store

  1. Settings → Privacy and security → Security
  2. Click “Manage certificates”
  3. Verify DoD certificates appear in “Trusted Root Certification Authorities” tab
  4. If missing, InstallRoot didn’t complete – reinstall

Fix #3: Advanced Troubleshooting

Check Certificate Revocation Issues

Sometimes browsers can’t check certificate revocation status.

  1. Temporarily disable revocation checking:
    • Control Panel → Internet Options
    • Advanced tab
    • Uncheck “Check for publisher’s certificate revocation”
    • Uncheck “Check for server certificate revocation”
    • Click OK and test
  2. If this fixes issue: Problem is internet connectivity to DoD revocation servers
  3. Long-term fix: Ensure firewall allows access to DoD CRL servers

Verify System Date and Time

Incorrect system clock causes certificate validation failures.

  1. Check Windows date/time (bottom-right taskbar)
  2. If incorrect:
    • Settings → Time & Language → Date & time
    • Enable “Set time automatically”
    • Click “Sync now”
  3. Restart browser and test

Why this matters: Certificates have validity periods. If system thinks it’s 2010, current certificates appear “not yet valid.” If system thinks it’s 2030, certificates appear “expired.”

Enterprise Certificate Issues

On corporate/government networks:

  • Proxy servers: May strip certificates during inspection
  • SSL inspection: Corporate firewalls inspect HTTPS traffic
  • Group Policy overrides: Centrally-managed policies control certificates

Solution: Contact IT help desk for enterprise-specific fixes.

Prevention: Keep Root Certificates Updated

Quarterly Maintenance

  • Every 3 months: Run InstallRoot to update certificates
  • DoD regularly updates root and intermediate certificates
  • Old certificates expire periodically
  • New certificate authorities added

Set Reminders

  • Calendar reminder: “Update DoD root certificates”
  • Frequency: Every 90 days (quarterly)
  • Takes 10 minutes (download, install, restart)
  • Prevents future untrusted certificate errors

After Major System Changes

Reinstall InstallRoot after:

  • Windows reinstall or major Windows update
  • New computer setup
  • Factory reset
  • Switching from one computer to another
  • After removing malware or system repair

Quick Decision Tree

Use this flowchart to determine your fix:

  1. Check certificate manager (certmgr.msc):
    • DoD root certificates present? → Go to step 2
    • DoD root certificates missing? → Install InstallRoot
  2. Certificates present but still getting errors:
    • All browsers affected? → Certificates may be untrusted, clear and reinstall
    • Only Firefox affected? → Import certificates into Firefox manually
  3. After InstallRoot, still failing:
    • Work computer? → Contact IT help desk (Group Policy issue)
    • Personal computer? → Disable antivirus and reinstall
  4. Works on other computers but not yours:
    • Check system date/time
    • Verify administrator rights
    • Consider Windows reinstall if all else fails

When to Contact IT Help Desk

Contact your organization’s IT support if:

  • InstallRoot requires administrator rights you don’t have
  • Group Policy prevents certificate installation
  • Government computer has restrictions you can’t override
  • Issue persists after trying all troubleshooting steps
  • Multiple coworkers experiencing same issue (server problem)
  • Certificate errors began suddenly across organization

What to tell help desk:

  • Exact error message (screenshot if possible)
  • “Certificate untrusted” appearing in all browsers
  • Checked certificate manager – DoD roots missing or present
  • Attempted InstallRoot installation – result (success/failure/error message)
  • Computer type (work-issued vs personal)

Conclusion

“Certificate untrusted” errors appearing across all browsers indicate missing or corrupted DoD root certificates. The fix is installing InstallRoot – the official DoD tool that installs all required root and intermediate certificates into your computer’s certificate store.

The key steps are: download InstallRoot from public.cyber.mil, run as Administrator (critical on Windows), restart computer after installation, and verify DoD root certificates appear in certificate manager. Most untrusted certificate errors resolve within 15 minutes using this process.

If InstallRoot doesn’t resolve the issue, likely causes are insufficient administrator rights (requiring IT help desk), Firefox using separate certificate store (requiring manual import), or enterprise Group Policy restrictions (requiring IT intervention). Personal computers should resolve with clean uninstall/reinstall of InstallRoot.

Prevent future issues by running InstallRoot quarterly to keep DoD certificates current.

Related Guides:

Robert Chen

Robert Chen is a cybersecurity specialist and former DoD IT systems administrator with 12 years of experience managing CAC infrastructure and secure military networks. He holds CompTIA Security+, CISSP, and CAC/PKI certifications. Robert has helped thousands of service members and DoD civilians troubleshoot CAC access issues and set up secure home workstations for remote military email and systems access. Based in Northern Virginia, he specializes in helping military families navigate the technical challenges of CAC card usage at home.

You May Also Like

More From Author

Professional military counseling documentation and forms

DA Form 638 Made Easy: Step-by-Step Award Recommendation Guide

Leave a Reply

Your email address will not be published. Required fields are marked *