Problem With This Website's Security Certificate?

Some of our .mil website users have encountered problems accessing secure pages using an "https" web address. If your browser indicates a problem with our security certificate, please read the following information to resolve the issue.

When accessing a secure (SSL) web page, your browser attempts to verify the identity of the server by checking the site certificate. A certificate is a digital document that identifies websites or individuals, and is issued by a trusted third party provider called a "certificate authority" (CA). Department of Defense (DoD) policy requires that we use certificates issued by the DoD Certificate Authority for identity verification and encryption, rather than those issued by a commercial certificate authority.

Web browsers are pre-loaded with a default set of root certificate authorities which usually does NOT include the DoD Medium Assurance and Class 3 Root Certificate Authorities among its list of Intermediate and Trusted Root CAs.

This causes a warning to be displayed when you attempt to connect to a secure page on the site. In this case, the browser does not recognize the DoD as the Certificate Authority.

To resolve this problem, you must install the DoD Root Certificates on your browser. Once installed, your web browser will trust the identity of web sites whose secure communications are authenticated by the Department of Defense and allow future access to these sites.

If you are receiving one of the messages below, please follow the steps to install the DoD Root CA Certificates:

  • Firefox: "This connection is Untrusted. You have asked Firefox to connect securely to [site name], but we can't confirm that your connection is secure."
  • Internet Explorer: "There is a problem with this website's security certificate. The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority."
  • Safari: "Safari can't verify the identity of the website. The certificate for this website was signed by an unknown certifying authority. You might be connecting to a website that is pretending to be [site name] which could put your confidential information at risk."
  • Opera: "The certificate for [site name] is signed by the unknown Certificate Authority [CA name]. It is not possible to verify that this is a valid certificate."

Resolving the Issue (The Quick-and-Easy Way):

Most browsers will give you the option to "proceed" to the questionable website and, at the same time, create a security exception that allows subsequent visits to the same site without displaying the warning.

Before you do this, you should view the certificate in your browser and confirm that (1) the "Common Name (CN)" matches the site you're attempting to reach, and (2) that the certificate expiration date hasn't passed.

If those items check out, and you're attempting to access a *army.mil URL, you are safe to proceed.

Resolving the Issue (The More-Permanent Way):

You can manually install the Root Certificates into your browser. While more complicated, this method will resolve the issue for most all sites using DoD-issued certificates.

Here are the instructions for installing the certificates using Internet Explorer browser. If these instructions are beyond your level of expertise or privileges, or you're using a different browser you should call your IT Department for further assistance.

Download DOD Root Certificates

Secure websites (HTTPS) use digital certificates to establish secure connections via Public Key Infrastructure (PKI). In order for a web browser to properly authenticate the identity of a secure website, it must know to communicate with the Certificate Authority (CA) that issues the site its digital certificate. Most web browsers already have commercial CA certificates associated. However, military hosting utilizes its own CA's.

As DCPAS is subject to the rules set by military hosting, you may need to manually install the DoD CA certificates on your personal or non-DoD computer in order to access our secure website. DoD-issued computers generally have these certificates and are up-to-date.

To download the DoD CA certificates:

  1. Please access: http://iase.disa.mil/pki-pke/Pages/tools.aspx
  2. Select the heading for "Trust Store."
  3. Under the heading for "InstallRoot "x.x" NIPR Windows Installer," please select the link for "Non Administrator."
  4. You will be prompted to Open/Run/Save the installation file, "InstallRoot_NonAdmin_"x.x".msi." The need to save is not required, so it is your preference on which of the available options you choose.
  5. Upon opening the InstallRoot_NonAdmin_"x.x".msi file, you will be presented with the InstallRoot Setup Wizard. Simply choose "Next" after reading each step of the Wizard.
  6. When prompted to select the features you wish to install, ensure that *at least* the "Graphical Interface" is checked. Afterwards, click on "next" and then "install."
  7. After the installation of the tool is complete, click "Run InstallRoot."
  8. At this point, you may be prompted to add the certificates to Firefox (if installed on your computer). It is recommended that you select "Yes."
  9. A "Quick Start" screen will appear showing screenshots of the final steps required to complete the installation. Please read the red text within these screenshots and choose "Next" until you're able to select "Finish."
  10. After selecting "Finish," you should be presented with a Microsoft Current User tab and, if you chose to install certificates to Firefox as indicated in step #8, a Firefox tab should also appear for each Firefox profile on your computer. Please look under each of these tabs and make sure that "Install DoD Certificates" has a green checkmark. The other certificates (ECA and JITC) are not required.
  11. Click on the "Install Certificates" button.

Note: If you experience any difficulty installing these certificates on a work-issued computer, please consult your local IT group and ask them to install the administrator version of InstallRoot that's available for download on the same website identified in step #1.

You should now be able to view the DoD CAs that you installed listed under the Trusted Root Certification Authorities tab of your browser (Tools >> Internet Options >> Content >> Certificates)