Fix InstallRoot Failed Error and Install DoD Certificates Manually

in Troubleshooting 5 min read

When InstallRoot Won’t Install: The Manual Certificate Fix

InstallRoot is supposed to be the easy button for DoD certificates. Download, run, done. Except when it isn’t. InstallRoot fails silently, throws cryptic errors, or completes but your CAC still doesn’t work on DoD sites.

This guide covers manual certificate installation—the reliable fallback when automated tools fail.

Why InstallRoot Fails

Common InstallRoot failure causes include:

  • Insufficient permissions (not running as Administrator)
  • Antivirus blocking the installer
  • Corrupted download (partial file)
  • Certificate store permissions issues
  • Conflicting group policies
  • Windows Store service disabled

If you’ve tried running InstallRoot multiple times without success, manual installation bypasses most of these issues.

Downloading Certificate Files Directly

Instead of the InstallRoot executable, download the raw certificate files from the DoD Cyber Exchange (cyber.mil). Look for the PKI CA certificates section, where you’ll find:

  • DoD Root CA certificates (zip file)
  • DoD Intermediate CA certificates (zip file)
  • DoD ECA certificates (zip file, if needed)

Download all applicable packages and extract them to a folder on your desktop. You’ll see files with .cer, .crt, or .p7b extensions—these are the certificate files you’ll install manually.

Installing Root Certificates

Root certificates must go into the “Trusted Root Certification Authorities” store:

1. Open Microsoft Management Console: Press Windows+R, type mmc, press Enter.

2. Add the Certificates snap-in: File > Add/Remove Snap-in. Select “Certificates” and click Add. Choose “Computer account” then “Local computer.” Click Finish, then OK.

3. Navigate to: Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.

4. Right-click the Certificates folder, select All Tasks > Import.

5. Browse to your extracted DoD Root CA certificate file. For .p7b bundles, all included certificates import at once. For individual .cer files, repeat the import for each file.

6. Ensure the certificates are placed in “Trusted Root Certification Authorities” store (the wizard should suggest this automatically).

Installing Intermediate Certificates

Intermediate certificates go into the “Intermediate Certification Authorities” store:

1. In the same MMC console, navigate to: Certificates (Local Computer) > Intermediate Certification Authorities > Certificates.

2. Right-click, All Tasks > Import.

3. Import the DoD Intermediate CA certificate bundle or individual files.

4. Ensure certificates are placed in “Intermediate Certification Authorities” store.

Installing for Current User (Alternative Method)

If you don’t have Administrator access to install to the Local Computer store, you can install to the Current User store:

Open certmgr.msc (not mmc). This opens the current user certificate manager directly. Navigate to Trusted Root Certification Authorities > Certificates and import root certificates. Navigate to Intermediate Certification Authorities > Certificates and import intermediate certificates.

Current User installation only affects your profile—other users on the same computer won’t have access to these certificates.

Verification Steps

After manual installation, verify certificates are in place:

Open Command Prompt and run:

certutil -viewstore Root | findstr "DoD"

You should see multiple “DoD Root CA” entries. For intermediates:

certutil -viewstore CA | findstr "DoD"

This should return many DoD intermediate authority names.

Firefox Requires Separate Installation

Firefox maintains its own certificate store and ignores Windows certificate stores. For Firefox:

1. Open Firefox Settings > Privacy & Security.

2. Scroll to Certificates section and click “View Certificates.”

3. Under the “Authorities” tab, click “Import.”

4. Import each DoD Root CA certificate. When prompted, check “Trust this CA to identify websites.”

5. Firefox doesn’t require intermediate certificate import—it retrieves them automatically during certificate validation.

macOS Manual Installation

On macOS, use Keychain Access for manual installation:

1. Open Keychain Access (Applications > Utilities).

2. Select the “System” keychain (requires admin password).

3. Drag and drop certificate files into the keychain, or use File > Import Items.

4. Double-click each imported root certificate. Expand “Trust” and set “When using this certificate” to “Always Trust.”

5. Close and authenticate to save trust settings.

Post-Installation Testing

After installing certificates, close all browsers completely. Open a fresh browser window and navigate to a DoD PKI-enabled site. You should now receive a CAC prompt rather than certificate errors.

If you still experience issues, the problem may be elsewhere—CAC reader, card itself, or site-specific configuration. But at least you’ve eliminated certificate chain problems from the troubleshooting list.

Manual installation takes longer than InstallRoot, but gives you complete control over which certificates are installed and where. When automated tools fail, this approach gets you working again.

John Bigley

John Bigley

Author & Expert

John Bigley is an electrical engineer and EV enthusiast who has been driving electric vehicles since 2015. He has installed over 200 home charging stations across the Pacific Northwest and consults on commercial EV infrastructure projects.

18 Articles
View All Posts

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe for Updates

Get the latest articles delivered to your inbox.