CAC Certificate Update

in CAC Basics 7 min read

Understanding CAC Certificate Updates

CAC certificate security

Your CAC contains digital certificates that prove your identity to DoD websites and systems. These certificates are issued by the DoD Public Key Infrastructure (PKI) and have expiration dates, typically aligning with your CAC’s expiration. However, the root and intermediate certificates that validate your CAC also require periodic updates on your computer. This guide explains when and how to update these certificates.

Types of Certificates Involved

Understanding the certificate hierarchy helps you know what needs updating:

  • Your personal certificates (on CAC): Stored on your physical CAC card. You cannot update these yourself – they’re renewed when you get a new CAC. Includes your identity certificate, email signing certificate, and encryption certificate.
  • Root certificates (on computer): DoD Root CA certificates that anchor the trust chain. These change infrequently but must be installed on your computer.
  • Intermediate certificates (on computer): Bridge the gap between root certificates and your personal certificates. These change more frequently as DoD updates its PKI infrastructure.

When people talk about “updating CAC certificates,” they usually mean updating the root and intermediate certificates on the computer, not the certificates on the CAC itself.

When to Update Certificates

Update your computer’s DoD certificates when:

  • You see certificate errors: “Certificate not trusted” or “Certificate chain incomplete” messages
  • DoD announces PKI changes: The DoD periodically updates its certificate infrastructure
  • After reinstalling Windows: Fresh installations don’t include DoD certificates
  • On new computers: Commercial computers don’t come with DoD certificates
  • Quarterly maintenance: Good practice to update certificates every few months

If your CAC is working fine, you don’t necessarily need to rush certificate updates. But staying current prevents future issues.

Downloading Current DoD Certificates

The official source for DoD certificates is the DoD Cyber Exchange (public.cyber.mil). However, the most user-friendly option for most users is:

  1. Visit militarycac.com (trusted community resource)
  2. Navigate to the certificates or InstallRoot section
  3. Download the latest certificate bundle (AllCerts.zip) or InstallRoot utility

For enterprise environments, your IT department may provide certificates through:

  • Software distribution systems (SCCM, Intune)
  • Group Policy automatic certificate deployment
  • Internal software portals

Always verify you’re downloading from legitimate sources – never use certificates from unknown websites.

Using the InstallRoot Utility

InstallRoot is a DoD-provided tool that automatically installs all necessary certificates:

  1. Download InstallRoot from militarycac.com or public.cyber.mil
  2. Extract the downloaded file if it’s a ZIP archive
  3. Right-click InstallRoot.exe and select “Run as administrator”
  4. Click “Install Certificates” when the window opens
  5. Wait for the installation to complete (may take a minute)
  6. Restart your browser(s) after installation

InstallRoot handles both root and intermediate certificates, placing them in the correct Windows certificate stores automatically.

Manual Certificate Installation

If you prefer to install certificates manually or InstallRoot isn’t working:

  1. Download the certificate files (usually .cer or .crt extensions)
  2. Open Certificate Manager: Press Windows + R, type certmgr.msc, press Enter
  3. For root certificates:
    • Navigate to “Trusted Root Certification Authorities” → “Certificates”
    • Right-click → All Tasks → Import
    • Follow the wizard to import root certificate files
  4. For intermediate certificates:
    • Navigate to “Intermediate Certification Authorities” → “Certificates”
    • Right-click → All Tasks → Import
    • Import intermediate certificate files

When importing, you may be asked about certificate trust – select “Place all certificates in the following store” and choose the appropriate store (Trusted Root or Intermediate).

Firefox Certificate Updates

Firefox maintains its own certificate store separate from Windows. After updating Windows certificates, you also need to update Firefox:

  1. Open Firefox → Settings → Privacy & Security
  2. Scroll to Certificates and click “View Certificates”
  3. Go to the “Authorities” tab
  4. Click “Import” and select the DoD root certificates
  5. Check “Trust this CA to identify websites”
  6. Repeat for all root and intermediate certificates

Alternatively, set security.enterprise_roots.enabled to true in about:config to have Firefox use Windows certificates.

Verifying Certificate Installation

After installing certificates, verify they’re in place:

  1. Open Certificate Manager (certmgr.msc)
  2. In “Trusted Root Certification Authorities,” search for “DoD”
  3. You should see certificates like:
    • DoD Root CA 2
    • DoD Root CA 3
    • DoD Root CA 4
    • DoD Root CA 5
    • DoD Root CA 6
  4. Check “Intermediate Certification Authorities” for DOD ID and EMAIL CA certificates
  5. Test by visiting a CAC-required DoD site

Certificate-Related Error Messages

Understanding error messages helps identify what needs updating:

Error Message Likely Cause Solution
“Certificate not trusted” Missing root certificate Install DoD root certificates
“Certificate chain incomplete” Missing intermediate certificate Install intermediate certificates
“Certificate has expired” Site certificate or your CAC certificate expired Check if your CAC is expired; if site cert expired, report to site admin
“Certificate revoked” Certificate has been revoked May need new CAC if personal cert; otherwise site issue

Enterprise Certificate Management

On managed computers, certificates are often deployed automatically:

  • Group Policy: Certificates can be pushed through Active Directory Group Policy
  • SCCM/Intune: Configuration managers can deploy certificate packages
  • Windows Update: Some root certificates are delivered through Windows Update

If you’re on a managed system and have certificate issues, contact your IT help desk before manually installing certificates – there may be organizational reasons for the current certificate state.

Certificate Update Schedule

Recommended update frequency:

  • Check quarterly: Review certificates every 3 months
  • After announcements: Update promptly when DoD announces PKI changes
  • When issues arise: Update immediately if you see certificate errors
  • Before travel: Update before deploying or traveling to ensure uninterrupted access

Keeping certificates current prevents the frustration of sudden access problems, especially when you need DoD systems urgently.

John Bigley

About John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.

John Bigley

John Bigley

Author & Expert

John Bigley is an electrical engineer and EV enthusiast who has been driving electric vehicles since 2015. He has installed over 200 home charging stations across the Pacific Northwest and consults on commercial EV infrastructure projects.

19 Articles
View All Posts

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe for Updates

Get the latest articles delivered to your inbox.