Fix InstallRoot Failed Error and Install DoD Certificates Manually

When InstallRoot Fails — And It Will — Here’s the Manual Fix

Installing DoD certificates has gotten complicated with all the InstallRoot versions and edge cases flying around. As someone who has walked hundreds of frustrated military and civilian users through this exact problem — often over the phone while they’re staring at a cryptic error message — I learned everything there is to know about getting these certificates installed when the automated tools refuse to cooperate. Today, I will share it all with you.

InstallRoot is supposed to be the “click and forget” solution. Download it from cyber.mil, run it as admin, done. Except it doesn’t always work that way. I’ve seen it fail silently, throw errors that make no sense, or report success while your CAC still won’t authenticate to anything. When that happens, manual installation is your best friend — and honestly, once you’ve done it a couple times, it’s not that painful.

Why InstallRoot Fails in the First Place

Before we jump into the manual process, let me explain what’s probably going wrong. I’ve seen all of these in the wild:

• Not running as Administrator — this is the number one cause. If you just double-clicked the installer without right-clicking and selecting “Run as Administrator,” that’s probably your issue right there.
• Your antivirus is blocking it — some AV products get suspicious of programs that modify certificate stores. Can you blame them? But it’s annoying when it’s a legitimate DoD tool.
• Corrupted download — sometimes the file doesn’t fully download, especially on spotty military network connections. You end up with a partial file that runs but can’t actually install anything.
• Certificate store permissions are messed up — this happens more than you’d think, especially on machines that have been through multiple image deployments.
• Group policies are fighting you — if you’re on a domain-joined machine, your organization’s GPOs might be blocking certificate imports from outside sources.
• The Windows Trust service is disabled — some hardening scripts disable services that InstallRoot needs to function.

If you’ve tried running InstallRoot multiple times and it’s still not working, stop banging your head against it. The manual method bypasses most of these problems entirely.

Probably Should Have Led With This Section, Honestly

Instead of wrestling with the InstallRoot executable, you can download the raw certificate files directly from the DoD Cyber Exchange at cyber.mil. Navigate to the PKI CA certificates section and look for these packages:

• DoD Root CA certificates — comes as a zip file containing the root-level trust anchors
• DoD Intermediate CA certificates — another zip file with the chain certificates that connect your CAC to the root
• DoD ECA certificates — a third zip if you need External Certificate Authority support (not everyone does, but grab it if you’re not sure)

Download everything and extract it all to a folder on your desktop. Keep it organized — you’ll be working with files that end in .cer, .crt, or .p7b extensions. The .p7b files are bundles that contain multiple certificates in one file, which saves you time during import.

Installing Root Certificates — The Foundation

Root certs need to go into the “Trusted Root Certification Authorities” store. Here’s exactly how to do it:

1. Open Microsoft Management Console: hit Windows+R, type mmc, and press Enter. You’ll get a mostly empty console window — that’s normal.

2. Add the Certificates snap-in: go to File > Add/Remove Snap-in. Find “Certificates” in the left column and click Add. When it asks, choose “Computer account” and then “Local computer.” Click Finish, then OK. Now you’ve got access to the machine’s certificate stores.

3. Navigate the tree on the left: Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates. You’ll see existing root certificates listed on the right side.

4. Right-click the Certificates folder on the left, then go to All Tasks > Import. This launches the import wizard.

5. Browse to where you extracted the DoD Root CA files. If you grabbed the .p7b bundle, it’ll import every root certificate at once — way faster than doing them one by one. If you’ve got individual .cer files, you’ll need to run the import for each one. Tedious, but it works.

6. The wizard should automatically suggest putting them in “Trusted Root Certification Authorities.” Verify that’s what it says and click through to finish. You might get a Windows security prompt about trusting a new root CA — say yes.

Installing Intermediate Certificates — The Chain Links

That’s what makes the certificate chain endearing to us PKI nerds — every link matters. Without the intermediates, your system can see the root CA at the top and your CAC certificate at the bottom, but it can’t connect them. Here’s how to install them:

1. In the same MMC console you’ve already got open, navigate to: Certificates (Local Computer) > Intermediate Certification Authorities > Certificates.

2. Same drill — right-click, All Tasks > Import.

3. Import the DoD Intermediate CA certificate bundle or individual files. The .p7b bundles are a lifesaver here because there are a LOT of intermediate certs.

4. Verify they’re landing in the “Intermediate Certification Authorities” store. The wizard should handle this automatically, but double-check because getting this wrong means nothing works.

No Admin Rights? There’s a Workaround

If you don’t have Administrator access on the machine — maybe it’s a shared workstation or you’re on a locked-down laptop — you can install certificates to your Current User store instead:

Open certmgr.msc (not mmc — different tool). This opens the certificate manager for just your user profile. Navigate to Trusted Root Certification Authorities > Certificates and import the root certs. Then go to Intermediate Certification Authorities > Certificates and import those too.

One important caveat: Current User installation only affects your profile. If someone else logs into the same computer, they won’t have these certificates. Each user has to do their own install. It’s not ideal, but it beats not being able to access DoD sites at all.

Verifying Everything Installed Correctly

Don’t just assume the imports worked — verify it. Open Command Prompt and run this:

certutil -viewstore Root | findstr "DoD"

You should see multiple “DoD Root CA” entries scroll by. If you see them, the roots are in place. For intermediates, run:

certutil -viewstore CA | findstr "DoD"

This should spit out a bunch of DoD intermediate authority names. If both commands return results, your certificate chain is complete. If either one comes up empty, go back and re-import the missing set.

Firefox Is Its Own Beast

Here’s something that catches a lot of people: Firefox doesn’t use the Windows certificate store at all. It maintains its own completely separate certificate database. So even after you’ve done all the work above, Firefox will still give you certificate errors unless you import into it separately.

1. Open Firefox and go to Settings > Privacy & Security.

2. Scroll down to the Certificates section and click “View Certificates.”

3. Switch to the “Authorities” tab, then click “Import.”

4. Import each DoD Root CA certificate file. When Firefox asks what you want to trust it for, check “Trust this CA to identify websites.” That’s the one that matters.

5. Good news here — Firefox is smart enough to fetch intermediate certificates on its own during the TLS handshake, so you usually don’t need to import those separately. One less thing to worry about.

If you’re primarily a Chrome or Edge user, they pull from the Windows system store, so the work you did in MMC covers them automatically.

macOS Manual Installation

For the Mac users out there, the process is different but equally doable:

1. Open Keychain Access — you’ll find it in Applications > Utilities, or just search for it with Spotlight.

2. Select the “System” keychain from the left sidebar. This installs certificates for all users on the Mac. You’ll need your admin password.

3. Either drag and drop the certificate files right into the keychain window, or use File > Import Items and browse to them. Both ways work.

4. Here’s the step most guides leave out: double-click each imported root certificate, expand the “Trust” section, and change “When using this certificate” to “Always Trust.” If you skip this, macOS will have the certificates but won’t actually trust them — which defeats the entire purpose.

5. Close the trust dialog and enter your admin password to save the settings. You’ll need to do this for each root certificate individually. Yeah, it’s tedious.

After Installation — The Moment of Truth

Once you’ve finished installing certificates through either method, close every single browser window you have open. I mean all of them. Browsers cache certificate information, and stale cache will make you think the installation failed when it actually worked fine.

Open a fresh browser window and navigate to a DoD PKI-enabled site — milConnect is a good test target. You should get a CAC prompt asking you to select a certificate and enter your PIN, rather than a scary certificate error page.

If you’re still getting errors after a clean manual installation, the problem is probably somewhere else in the chain — your CAC reader might not be recognized, the card itself might have expired certificates, or there could be a site-specific configuration issue. But at least you’ve definitively eliminated certificate store problems from your troubleshooting list, and that’s a huge chunk of the puzzle.

Manual installation takes more time than InstallRoot is supposed to, but it gives you complete visibility and control over exactly which certificates go where. When the automated tool lets you down — and it will eventually — this is the process that gets you back to work.