Fix Common CAC Certificate Browser Errors

CAC certificate errors are frustrating because the error messages rarely tell you what’s actually wrong. “Certificate not trusted,” “invalid certificate,” and “no valid certificates found” all look similar but have different causes and solutions. Here’s how to diagnose and fix the most common certificate errors.

Understanding CAC Certificate Errors

Your CAC contains multiple digital certificates:

• ID Certificate: Used for authentication (logging into websites)
• Email Certificate: Used for signing and encrypting email
• Encryption Certificate: Used for decrypting received email

Each certificate has a chain of trust leading back to DoD Root Certificate Authorities. When any link in this chain is broken, missing, or expired, you get a certificate error.

Error: “Certificate Not Trusted”

What It Means

Your browser doesn’t recognize the certificate authority that issued your CAC certificates (or the website’s certificate).

Fix

1. Download InstallRoot from MilitaryCAC.com
2. Run as Administrator
3. Click “Install Certificates”
4. Restart your browser

This installs all current DoD root and intermediate certificates into your Windows certificate store.

Error: “No Valid Certificates Found”

What It Means

The browser can’t see any certificates from your CAC, or the certificates it sees don’t match what the website is requesting.

Fix

1. Check CAC insertion: Remove and reinsert your CAC completely
2. Verify reader: LED should be lit; check Device Manager for errors
3. Check middleware: ActivClient should be running (system tray icon)
4. Restart Smart Card service: services.msc → Smart Card → Restart
5. Verify certificates: Open certmgr.msc → Personal → Certificates. Your CAC certs should appear with your name.

Error: “Certificate Has Expired”

What It Means

Either your CAC certificates or the website’s certificate has passed its expiration date.

Fix

Check your CAC expiration:

1. Look at the expiration date printed on your CAC
2. Open certmgr.msc → Personal → Certificates
3. Check the expiration date of your DoD certificates

If your certificates are expired, you need a new CAC from your RAPIDS/ID card office.

Check your system time:

If your computer’s date/time is wrong, valid certificates may appear expired:

1. Right-click the clock in the taskbar
2. Select “Adjust date/time”
3. Enable “Set time automatically”
4. Click “Sync now”

Error: “Certificate Chain Incomplete”

What It Means

Intermediate certificates are missing between your CAC and the root certificate authority.

Fix

1. Run InstallRoot again—it includes intermediate certificates
2. If the error is for a website (not your CAC), the site’s administrator needs to fix their certificate chain
3. Check certmgr.msc → Intermediate Certification Authorities for DoD CA certificates

Error: “Certificate Revoked”

What It Means

Your certificate has been explicitly invalidated, usually because:

• You reported your CAC lost or stolen
• Your CAC was administratively revoked
• There was a security incident involving your credentials

Fix

Contact your security office or RAPIDS/ID card office. A revoked certificate cannot be un-revoked—you’ll need a new CAC issued.

Error: “SSL_ERROR_HANDSHAKE_FAILURE”

What It Means

The secure connection couldn’t be established. This is often a timing or communication error rather than a certificate problem.

Fix

1. Refresh the page and try again
2. Ensure your CAC is fully inserted
3. Try a different browser
4. Check your internet connection stability
5. Clear browser cache and SSL state

Error: “NET::ERR_CERT_AUTHORITY_INVALID” (Chrome)

What It Means

Chrome specifically doesn’t trust the certificate’s issuer.

Fix

1. Run InstallRoot to install DoD root certificates
2. Clear Chrome’s browsing data (Ctrl+Shift+Delete)
3. Restart Chrome with your CAC inserted
4. Check that certificates appear in chrome://settings/security → Manage certificates

Error: “SEC_ERROR_UNKNOWN_ISSUER” (Firefox)

What It Means

Firefox’s certificate store (separate from Windows) doesn’t contain the necessary root certificates.

Fix

1. Open Firefox → about:preferences#privacy → View Certificates
2. Import DoD root certificates to the Authorities tab
3. When importing, check “Trust this CA to identify websites”
4. Also configure Firefox’s security device for your CAC middleware

Browser-Specific Certificate Stores

Different browsers handle certificates differently:

General Troubleshooting Steps

For any certificate error, try these steps in order:

1. Restart browser with CAC inserted
2. Run InstallRoot as Administrator
3. Clear browser cache and SSL state
4. Restart Smart Card service
5. Verify certificates in certmgr.msc
6. Try a different browser
7. Reboot computer

If errors persist after all these steps, the issue may be server-side or require IT support.

When to Contact IT Support

Escalate to your help desk if:

• Multiple users are experiencing the same error
• The error occurs on government computers where you can’t install software
• Your CAC was recently issued or replaced
• The error mentions a specific website’s certificate (server-side issue)
• You’ve tried all troubleshooting steps without success

Document the exact error message and what you’ve tried—this helps IT resolve the issue faster.

Last updated: December 2025

About Jack Ashford

Jack Ashford is a DoD cybersecurity specialist with over 12 years supporting military IT infrastructure. He holds Security+ and CAC certifications and has worked as systems administrator for multiple DoD agencies. Jack specializes in PKI certificate management, CAC troubleshooting, and secure authentication systems, helping military personnel and contractors resolve access issues quickly.