• GeoTrust Root Certificates are used for issuing SSL/TLS, CodeSigning, S/MIME, and Client certificates. Download Dod Certificates Mac; Download Department Of Defense Root Certificates Macon Ga; All roots on this page are covered in our Certification Practice Statement (CPS). Licensing and Use of Root Certificates.
• Aside from installing middleware, you need to download and import the DoD Root and Intermediate Certificates in your Keychain Access. Most of the DoD certificates are available if you add the 'SystemCACertificates' keychain using the File Add Keychain option and navigating through the folders to Macintosh HD System Library Keychains.

Download and Install DoD Certs to a Mac I am running on macOS Catalina Version 10.15.3, but these instructions should still work for you. 6dod.zip to download a p7b bundle of DoD certificates. Right-click (or control + click, if right-click not enabled) the file.

Recently, I wanted to read about the NSA’s Commercial National Security Algorithm (or CNSA) Suite, which is their replacement to the Suite B algorithms. The web site for the CNSA Suite is https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm, but if you go there now on a Mac, you’ll probably get a security warning. The reason is, this web site uses a certificate issued by the DoD, and I didn’t have them installed. How did I get them installed? Read on!

The web site I want to visit uses a cert ultimately coming from the DoD Root CA 3.

To be sure I’m going to the right place, I needed to securely download the DoD’s roots, and then trust the appropriate one. This is not the easiest thing in the world, because alot of the sites which have the DoD roots are either non-Government sites (which I don’t want to trust), or are Government sites that use the DoD CA (which makes trusting them a catch-22).

The NSA’s web site has this text:

Please visit the Information Assurance Support Environment (IASE) site to download the DoD Root CA Certificates. Select the Trust Store tab and choose the latest InstallRoot: NIPR Windows Installer.

This points you in the right direction, but not to the exactly-right thing (for one thing, I’m not running Windows). You do need to browse to https://iase.disa.mil/pki-pke/Pages/tools.aspx, but what you’re actually looking for is called PKI CA Certificate Bundles: PKCS#7.

Download the “For DoD PKI Only” ZIP file (as of publication, the version number is 5.3). You’ll end up with a folder containing eight files. Four of the files contain the phrase “Root_CA”, and end with “.p7b”. Those are the four files we will be needing.

To install the certs, you’ll be using the Keychain Access application, which is an application that lives in the Utilities folder (which lives in the Applications area). Launch it, and go to your “login” keychain.

The “login” keychain is the one for your specific account, and the “Certificates” category shows all the certificates that you have added (or which have been added for you).

Next, double-click on each of the four .p7b files that we identified above. Or, drag the four .p7b files into the Keychain Access program. You’ll see your certificates list EXPLODE with DoD certs!

Wow that’s a lot of certs!

The four certs that we want are named “DoD Root CA” followed by a number (2, 3, 4, or 5). The other certs are intermediate certs; Safari does not need them, so you should delete all of the “DOD EMAIL”, “DOD ID SW”, and “DOD SW” certs. Once you delete those, your list will be much smaller!

Now, macOS (and Safari) has the CA certs, but the certs are still not trusted. This is a good thing; if you are concerned about trusting a US Government CA, well, right now you aren’t. You can turn trust on and off whenever you want.

To enable trust, double-click on the appropriate CA, expand the Trust section, and choose how you want to trust the CA. Since I’m using Safari, I am changing the SSL entry to “Always Trust”.

When you close the window, you’ll be asked for your password, and then your changes will be saved. You’ll also know that you did it correctly when Keychain Access says that the CA is trusted.

The red X has disappeared from the DoD Root CA 3.

You can now browse to the web site (in Safari or Chrome), and no warnings should appear. Once you are done, you can go back into Keychain Access and remove the trust settings.

Good luck!

InstallRoot automates the install of the DoD certificates onto your Windows computer

To access DoD websites from your computer, you need these certificates on your computer. You may need to reinstall the certificates if the CAC enabled web site won't load, the website you are visiting is prompting you with the message there is a problem with the website's Security Certificate / site is not trusted, you have received a new CAC, or your DoD website worked up until recently and doesn't now.

Apple computer users follow these instructions

Windows RT / Windows 10 S mode users follow these instructions (or anyone not wanting to install the InstallRoot 5.5 program below)

InstallRoot is created by DISA for Windows computers, if you have any problems with this file, please contact them.

NOTE: If you do not want to install the InstallRoot program, or having problems with the InstallRoot file, you can install the certificates manually by, following these instructions.

Windows users, Download InstallRoot 5.5 from:

MilitaryCAC (.msi version) (27.7 MB),

MilitaryCAC (.zip version) (25.9 MB), or

DoD Cyber Exchange (.msi version) (27.7 MB)

(It is the same file [except for .zip version] from two different servers, in the event one of the links don't work)

Select Next >

.

Leave the default installation location, then select Next >

.

Select Next >

.

Select Install

.

Wait for it

.

.

Select Run InstallRoot

.

Download Dod Certificates Mac

.

Download Dod Certificates For Mac Os X

Click Install Certificates

If you have Firefox installed, you may see 2 or 3 tabs

NOTE: I have one report that a person had to select Restart as Administrator. This was the first and only person in the several years this program has been in existence that I have heard this.

InstallRoot not updating was fixed in InstallRoot 5.2

Select Yes, (this screen may show 2 - 4 times) as it is installing each of the DoD Root CA 2, 3, 4, & 5 certificates

.

Select OK (your number of Adds will vary)

.

How to verify you have the certificates installed

Open Internet Explorer, Select Tools (Gear), Internet Options

Select Content (tab), Certificates (button)

Intermediate Certification Authorities (tab) scroll down the Issued To (column) to the letters DOD to verify you have:

DOD DERILITY CA-1

DOD EMAIL CA-33 through DOD EMAIL CA-34

DOD EMAIL CA-39 through DOD EMAIL CA-44

DOD EMAIL CA-49 through DOD EMAIL CA-52

DOD EMAIL CA-59

DOD EMAIL CA-62 through DOD EMAIL CA-65

DOD ID CA-33 through DOD ID CA-34

DOD ID CA-39 through DOD ID CA-44

DOD ID CA-49 through DOD ID CA-52

DOD ID CA-59

DOD ID CA-62 through DOD ID CA-65

DOD ID SW CA-35 through DOD ID SW CA-38

DOD ID SW CA-45 through DOD ID SW CA-48

DOD SW CA-53 through DOD SW CA-58

DOD SW CA-60 through DOD SW CA-61

and

DOD SW CA-66 through DOD SW CA-67

Verify the DoD Root certificates installed (sometimes Antivirus / Security programs won't allow these to be installed)

Open the Trusted Root Certification Authorities (tab) verify you have:

DoD Root CA 2 through DoD Root CA 5

If you see 'There is a problem with this website's security certificate' after installing the DoD InstallRoot file or the Red Certificate error below, follow this guide

PROCEED TO STEP 4 - INSTALL ACTIVCLIENT

The Cross Cert Remover tool is 'supposed' to be an automated way of removing some certificates that cause access problems. From what I've experienced, you still need to follow my guide [slides 16&17] and manually remove certificates the Cross Cert Removal Tool fails to remove. Feel free to use if you want to waste your time.

You can install both the InstallRoot and the Cross Cert Removal tool in one single file which was created by NETCOM (Army Network Enterprise Technology COMmand)

This file is created for Home Users ONLY, you can download it from:

Information:

A certificate is a digital document providing the identity of a Web site or individuals. DoD Web sites use a certificate to identify themselves to their users and to enable secure connections. If you are receiving a warning that a site is untrusted / insecure, you will need to install the 'DoD Certificates.' In order to access sites enabled with a DoD PKI certificate without being prompted to accept the DoD Certificate chain at each log on [like Firefox and Safari do], people using Internet Explorer and Chrome should install the DoD certificates. These are separate from the personal certificates that are on your CAC, but they are related.

Root Certificates

How can you (or your web server) trust the identity of someone over the network? An infrastructure of trusted third parties has been put in place to distribute trust between end-users. This infrastructure verifies that we are who we say we are. If we trust the DoD PKI infrastructure, then the infrastructure can vouch for us to trust others that have certificates issued from the DoD PKI.

Click to see larger image

.

The DoD PKI Infrastructure is comprised of two Root Certification Authorities and a number of Intermediate Authorities. If all of the DoD root certificates are not installed on your computer, various applications will not be able to trust all DoD PKI certificates.

Click to see larger image

.

More information about this image can be found here: https://iase.disa.mil/pki-pke/interoperability/Pages/index.aspx