CAC Certificate Updates — What They Are, When You Need Them, and How to Do It
Keeping DoD certificates updated has gotten complicated with all the different root CAs, intermediate authorities, and PKI revisions flying around. As someone who has managed certificate deployments across entire military networks — and personally debugged more “certificate not trusted” errors than I care to remember — I learned everything there is to know about what needs updating, when, and why. Today, I will share it all with you.
Here’s something that confuses almost everyone: when someone says “update your CAC certificates,” they almost never mean the certificates on your actual card. The certificates on your CAC are burned in when the card is issued, and you can’t change them yourself. What people actually mean is updating the root and intermediate certificates on your computer — the trust anchors that tell your machine “yes, this CAC is legitimate.” Big difference, and understanding it saves you a lot of confusion.
Probably Should Have Led With This Section, Honestly
There are three layers of certificates involved in CAC authentication, and you need to understand which is which:
- Your personal certificates (on the CAC itself): These live on the chip in your physical card. They include your identity certificate, email signing certificate, and encryption certificate. You cannot update these yourself — they get renewed when you get a new CAC at RAPIDS. If these are expired, no software update is going to fix it.
- Root certificates (installed on your computer): DoD Root CA certificates sit at the top of the trust chain. They change infrequently, but they absolutely must be installed on your machine. Without them, your computer doesn’t trust anything else in the chain.
- Intermediate certificates (also on your computer): These bridge the gap between the root CAs and your personal certificates. DoD updates these more often as they refresh their PKI infrastructure. Missing or outdated intermediates are the number one cause of “certificate chain incomplete” errors.
That’s what makes certificate management endearing to us PKI folks — there are three separate things people call “certificates,” and each one has different update requirements. No wonder people get confused.
When Do You Actually Need to Update?
Don’t worry about updating every week. Here are the situations where it actually matters:
- You’re seeing certificate errors: Messages like “Certificate not trusted” or “Certificate chain incomplete” are the dead giveaway. Something in the chain is missing or outdated on your machine.
- DoD announced PKI changes: These happen periodically. If your organization pushes out a notice about new root CAs, that’s your cue.
- You just reinstalled Windows: A fresh Windows install has zero DoD certificates. You’re starting from scratch.
- New computer: Same deal. Dell doesn’t ship laptops with DoD certificates pre-installed.
- Quarterly maintenance: I update my certificates every three months or so just to stay ahead of any changes. Takes two minutes.
If everything is working fine and you haven’t heard about any PKI changes, you don’t need to rush. But staying current prevents that ugly surprise on a Monday morning when you’re trying to check email and nothing works.
Where to Get the Certificates
The official source is the DoD Cyber Exchange at public.cyber.mil. But honestly, for most users, the easier path is:
- Go to MilitaryCAC.com — it’s a trusted community resource that’s been helping military folks with this for years
- Find the certificates or InstallRoot section
- Download the latest certificate bundle (AllCerts.zip) or the InstallRoot utility
For folks on managed enterprise systems, your IT department might deploy certificates through:
- SCCM or Intune automatic pushes
- Group Policy that deploys certs when you log in
- Internal software portals with pre-packaged installers
One thing I want to stress: always verify you’re downloading from a legitimate source. DoD root certificates are the trust foundation for your entire authentication chain. Getting them from a random download site is a terrible idea from a security perspective.
The Easy Way — InstallRoot
For most people, the InstallRoot utility is the fastest path to current certificates:
- Download InstallRoot from MilitaryCAC.com or public.cyber.mil
- Extract it if it comes as a ZIP file
- Right-click InstallRoot.exe and select “Run as administrator” — this step is non-negotiable
- Click “Install Certificates” when the window opens
- Wait for it to finish — takes maybe a minute, sometimes less
- Close ALL your browser windows and reopen them. Every single one.
InstallRoot handles both root and intermediate certificates and puts them in the correct Windows certificate stores automatically. It’s the tool DISA built for exactly this purpose, and it works well.
The Manual Way — When InstallRoot Won’t Cooperate
Sometimes InstallRoot fails — antivirus blocks it, permissions are wrong, whatever. Here’s how to install manually:
- Download the certificate files (they’ll be .cer or .crt files)
- Open Certificate Manager: Windows + R, type
certmgr.msc, hit Enter - For root certificates:
- Navigate to “Trusted Root Certification Authorities” > “Certificates”
- Right-click > All Tasks > Import
- Follow the wizard and point it to your root certificate files
- For intermediate certificates:
- Navigate to “Intermediate Certification Authorities” > “Certificates”
- Right-click > All Tasks > Import
- Import the intermediate certificate files
When the wizard asks about certificate placement, select “Place all certificates in the following store” and make sure it’s going to the right store — root certs to Trusted Root, intermediates to Intermediate. Getting this wrong means the certificates are installed but in the wrong location, which is almost worse than not having them at all.
Firefox Is a Special Snowflake
I say this with love, but Firefox does its own thing with certificates. It maintains a completely separate certificate store from Windows, so updating through InstallRoot or certmgr.msc doesn’t touch Firefox at all. You need to update it separately:
- Open Firefox > Settings > Privacy & Security
- Scroll down to Certificates and click “View Certificates”
- Go to the “Authorities” tab
- Click “Import” and select each DoD root certificate file
- Check “Trust this CA to identify websites” when prompted
- Repeat for all root and intermediate certs
Pro tip: there’s actually a setting in Firefox that tells it to use the Windows certificate store. Type about:config in the address bar, search for security.enterprise_roots.enabled, and set it to true. This makes Firefox pull trust from the Windows store, which means you only have to update certificates in one place. I wish more people knew about this setting.
Making Sure It Worked
After installing certificates, verify they’re actually there:
- Open Certificate Manager (
certmgr.msc) - Under “Trusted Root Certification Authorities,” look for entries containing “DoD.” You should see:
- DoD Root CA 2
- DoD Root CA 3
- DoD Root CA 4
- DoD Root CA 5
- DoD Root CA 6
- Check “Intermediate Certification Authorities” for DOD ID CA and DOD EMAIL CA entries
- The real test: navigate to a CAC-required DoD site. If you get a certificate prompt and can log in, you’re good.
Decoding Those Error Messages
Different error messages point to different problems. Here’s my cheat sheet:
| Error Message | What It Actually Means | What to Do |
|---|---|---|
| “Certificate not trusted” | Missing root certificate on your computer | Run InstallRoot or manually import root CAs |
| “Certificate chain incomplete” | Missing intermediate certificate | Install the intermediate CA certificates |
| “Certificate has expired” | Either the site’s cert or your CAC cert is past its expiration date | Check your CAC expiration date; if it’s the site, report it to the admin |
| “Certificate revoked” | The certificate was deliberately invalidated | If it’s your personal cert, you may need a new CAC. If it’s a site cert, that’s a server-side issue. |
Enterprise Environments — When IT Handles It
On managed government computers, certificates are often deployed automatically and you don’t have to do anything:
- Group Policy: Active Directory can push certificates to every machine on the domain during login
- SCCM/Intune: Configuration management tools can deploy certificate packages as part of compliance baselines
- Windows Update: Some root certificates actually come through Windows Update, believe it or not
If you’re on a managed system and having certificate problems, call your IT help desk before you start manually installing things. There may be organizational reasons for the current certificate configuration, and your manual install could conflict with what Group Policy is trying to do.
My Recommended Update Schedule
- Every 3 months: Quick check — run InstallRoot and let it update anything that’s changed
- After official announcements: When DoD or DISA announces PKI updates, do it that week
- Immediately when you see errors: Don’t wait. Certificate errors don’t fix themselves.
- Before travel or TDY: Update before you deploy or travel. Finding out your certificates are stale when you’re 1,000 miles from your IT support is a bad time.
Keeping certificates current takes about two minutes of effort every few months. That’s a tiny investment against the alternative of losing access to DoD systems when you need them most. Just add it to your quarterly maintenance routine and you’ll never be caught off guard.
About John Bigley
John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.
Leave a Reply