Cross-Certificate Chaining Issue

These instructions walk through adjusting the trust settings on the Interoperability Root CA (IRCA) > DoD Root CA 2 and the US DoD CCEB IRCA 1 > DoD Root CA 2 certificates to prevent cross-certificate chaining issues. These issues can make it appear that your certificates are issued by roots other than the DoD Root CA 2 and can prevent access to DoD websites. Before beginning, ensure that you have received the latest OS X updates.

Installing the DoD Root CA 2 Certificate

1. 1. Navigate in Finder to Go > Utilities and launch Keychain Access.app.
   2. In the Keychain Access window, select the Login keychain on the left hand side.
   3. Download and unzip the PKCS7 certificate bundle for DoD.
   4. From Keychain Access.app:

a) Select File > Import Items.

b) Navigate to the unzipped PKCS7 certificates folder.

c) Select DoD_PKE_CA_chain.pem and select Open. Enter your password if prompted.

Removing the Cross Certificates

Because both cross certificates and the DoD Root CA 2 certificate have the same Subject Key Identifier, the cross certificates will need to be removed from the login keychain.

1. Navigate in Finder to Go > Utilities and launch Keychain Access.app.
2. In the Keychain Access window, select Login on the left hand side.
3. Scroll through the list of certificates to find each DoD Root CA 2 certificate with the blue certificate icon pictured below. (If these certificates are not present in the login keychain skip to the next section.)
   
4. Right-click on each certificate in Keychain Access and select Get Info.
5. Verify that the issuer common name field lists either DoD Interoperability Root CA 1 (as shown on the image below) or US DoD CCEB Interoperability Root CA 1.
   
6. Delete each certificate by right-clicking on it in Keychain Access and selecting delete (enter your password if prompted).

Marking the Cross Certificates as Untrusted

Now each cross certificate needs to be loaded back into the login keychain and marked as untrusted.

1. Navigate in Finder to Go > Utilities and launch Keychain Access.app.
2. In the Keychain Access window, select Login on the left hand side.
3. Download and extract this zip file with both cross certificates to your desktop.
4. Double-click on each certificate on your desktop, select Login, and click OK (enter your password if prompted).
5. Scroll through the list of certificates for the DoD Root CA 2 certificates with the blue icons as pictured below.
6. Right-click on each certificate in Keychain Access and select Get Info.
7. Click the arrow next to Trust to expand the menu.
8. 8. Next to “When using this certificate” select Never Trust from the drop-down menu.
   

Ensuring your CAC Certificates are Trusted

1. Navigate in Finder to Go > Utilities and launch Keychain Access.app.
2. In the Keychain Access window, select your CAC on the left hand side.
3. Click on one of the certificates on your CAC and verify that it has a green check mark indicating that it is valid (see image below).
   

​