Problem With This Website's Security Certificate?

Some of our .mil website users have encountered problems accessing secure pages using an "https" web address. If your browser indicates a problem with our security certificate, please read the following information to resolve the issue.

When accessing a secure (SSL) web page, your browser attempts to verify the identity of the server by checking the site certificate. A certificate is a digital document that identifies websites or individuals, and is issued by a trusted third party provider called a "certificate authority" (CA). Department of Defense (DoD) policy requires that we use certificates issued by the DoD Certificate Authority for identity verification and encryption, rather than those issued by a commercial certificate authority.

Web browsers are pre-loaded with a default set of root certificate authorities which usually does NOT include the DoD Medium Assurance and Class 3 Root Certificate Authorities among its list of Intermediate and Trusted Root CAs.

This causes a warning to be displayed when you attempt to connect to a secure page on the site. In this case, the browser does not recognize the DoD as the Certificate Authority.

To resolve this problem, you must install the DoD Root Certificates on your browser. Once installed, your web browser will trust the identity of web sites whose secure communications are authenticated by the Department of Defense and allow future access to these sites.

If you are receiving one of the messages below, please follow the steps to install the DoD Root CA Certificates:

• Firefox: "This connection is Untrusted. You have asked Firefox to connect securely to [site name], but we can't confirm that your connection is secure."
• Internet Explorer: "There is a problem with this website's security certificate. The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority."
• Safari: "Safari can't verify the identity of the website. The certificate for this website was signed by an unknown certifying authority. You might be connecting to a website that is pretending to be [site name] which could put your confidential information at risk."
• Opera: "The certificate for [site name] is signed by the unknown Certificate Authority [CA name]. It is not possible to verify that this is a valid certificate."

Resolving the Issue (The Quick-and-Easy Way):

Most browsers will give you the option to "proceed" to the questionable website and, at the same time, create a security exception that allows subsequent visits to the same site without displaying the warning.

Before you do this, you should view the certificate in your browser and confirm that (1) the "Common Name (CN)" matches the site you're attempting to reach, and (2) that the certificate expiration date hasn't passed.

If those items check out, and you're attempting to access a *army.mil URL, you are safe to proceed.

Resolving the Issue (The More-Permanent Way):

You can manually install the Root Certificates into your browser. While more complicated, this method will resolve the issue for most all sites using DoD-issued certificates.

Here are the instructions for installing the certificates using Internet Explorer browser. If these instructions are beyond your level of expertise or privileges, or you're using a different browser you should call you IT Department for further assistance.

1. Open the URL: http://dodpki.c3pki.chamb.disa.mil/rootca.html
   
   NOTE: You will need to repeat the following steps for all of the main options to get the trust root for each of the paths and any intermediates.
2. Click "Download Root CA 2 Certificate" and when the file dialog box appears, click 'Open' button.
3. Expand the folders in the left-side pane and click on the Certificates folder to view the contents. Double-click on the first certificate you wish to import to start installation.
4. When the first dialog box appears, click 'Install Certificate' button.
5. This begins the Certificate Import Wizard; click 'Next >' button to proceed with the certificate installation.
6. Select the second radio option labeled "Place all certificates in the following store," then click 'Browse' button to choose a location.
7. Browse to the "Trusted Root Certificate Authority," then click 'OK' button to proceed.
8. Click 'Next >' button to continue with the import.
9. A dialog box will indicate that you have successfully completed the Certificate Import wizard; click 'Finish' button to complete the import process.
10. When you install the root certificate, you will be prompted by a Security Warning dialog to confirm the import; this will only occur for any subsequent intermediate imports of CA certificates; click 'Yes' to install the certificate.
11. When the success dialog is displayed, click 'OK' button.
12. Repeat the above steps for the remaining certificates.

You should now be able to view the DoD CAs that you installed listed under the Trusted Root Certification Authorities tab of your browser (Tools >> Internet Options >> Content >> Certificates)