Skip to end of metadata
Go to start of metadata

The NPS video portal system, and many other enterprise IT systems in use at NPS, make use of SSL certificates issued by the DoD.  If your browser doesn't trust them, you may run into issues.  Reinstalling the certs is always a good step in troubleshooting as well. 

OPTION 1 - Automatically Trust All DOD Certificates (Recommended for Windows)

The InstallRoot application is the most simple and straightforward way to install all DOD certificates in your windows operating system, and supports Internet Explorer, Chrome, and Firefox.   The links below will let you download the tool from the DISA.MIL website (we don't host the files here so that you can get the latest version, as it's frequently updated).

Download InstallRoot 4 for Windows

  • Click the button above to go to the DISA tools webpage in a new window or tab.
  • Click on the Trust Store menu item from the PKI and PKE tools page.
  • Under the heading "InstallRoot 4.1: NIPR Windows Installer click the links to download the latest 32bit and 64bit versions of the tool.
  • When downloaded, right click on the file and select "Install as Administrator"
  • Restart your browsers for the changes to take effect (all windows!).
  • InstallRoot 4.1: User Guide

OPTION 2 - Manually Install the DOD Root Certificates (All Systems / Browsers)

You can manually download the root certificate and any intermediate certificates needed when using SSL-based websites or services at NPS.   

The CA-2 root is always required, and you'll also need to install the intermediate certificate for each application you intend to use.  E.g. For the NPS streaming video, your browser needs to trust CA-2 and both CA-21, CA-27, and CA-28.     By installing all the certificates, your web browser will trust all DOD sites that use SSL - not just those currently in use here at NPS.

Firefox users - Firefox uses its own set of trusted certificates, outside of the operating system. This is the same on windows and Mac. Please keep that in mind when you are installing them manually. click here for help with installing the certificates in Firefox.




Root certificate for all intermediates - required for all uses.




Not currently used by NPS


Not currently used by NPS


Not currently used by NPS


Not currently used by NPS


Not currently used by NPS


NPS Extranet, Faculty Website, NPS Survey, NPS Webmail, NPS AD/LDAP, NPS Streaming Video




Not currently used by NPS


Not currently used by NPS

DOD CA-31Not currently used by NPS
DOD CA-32Not currently used by NPS



Download All

All certificates listed above in one archive


  1. Mac users need to do Option 2. Once they are downloaded, they just need to double-click to install into the Mac Keychain.

  2. As of 5/3/2013, is using the intermediate CA-28 (was 27).

  3. As of 6/6/2013 we've switched to using a commercial Verisign-issued SSL certificate for   This certificate should help alleviate some of the issues our viewers were having when viewing content from within SSL-enabled sites (like this one).

  4. Got a new CAC card today, and the certificates on the card were issued by DOD CA-32. 

  5. Got a new CAC card last week, and the certificates are signed by DOD CA-31 and DOD EMAIL CA-31. Importing the Root Certs from above required me to call this command on a Terminal on the Mac (importing into Keychain Access resulted in Error 100013):

    sudo security import </Path/To/Certificate.pem> -k ~/Library/Keychains/login.keychain
    (or for all users):
    sudo security import </Path/To/Certificate.pem> -k /Library/Keychains/System.keychain
    1. On my mac (ITACS image) the CACertificates are stored at 


      So, eg.

      sudo security import ./CA32.cer -k /System/Library/Keychains/login.keychain
  6. Would it be possible for someone to update this wiki page? ( is now on InstallRoot 5.0 for example). It would be great for us campus users if there was just one main wiki page that was kept updated, and other pages could just point to it.

    Could this one main page include helpful things like

    Could this page be moved out from under the NPS Video Streaming Support space, and placed at a higher level in the TAC space? 

    Could the section on "Other Software" on the Intranet Software Download page also just point to this updated wiki page? This wiki page too? 

    Thanks for considering.

  7. I've been doing VPN for home virtually every day for the last several months, then all of a sudden today I get:

    The certificate on the secure gateway is invalid. A VPN connection will not be established.

    After submitting my password. 

    Can you help?