DoD Root CA 2 Not Trusted

The DoD Root CA 2 is included in "Lists of available trusted root certificates in macOS" https://support.apple.com/en-us/HT202858

and also in iOS.


When I go to my keychain, it shows "This root certificate is not trusted" for this cert.


Why is this and how can it be fixed?


Thanks!

Replies

What do you mean by “my keychain”. When I open Keychain Utility in a vanilla macOS 10.12, I see the DoD Root CA 2 listed in the System Roots keychain, and flagged as trusted there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

On my MacBook Pro and on my iMac (Both running MacOS - but have been upgraded from previous OSX versions), when I open the Keychain Utility


The "DoD Root CA 2" has a red X and says "This root certificate is not trusted".


I am trying to figure out:

  1. Why it says that it is not trusted?
  2. What do I need to do to get the "trusted" version back?


Thank you

when I open the Keychain Utility

The "DoD Root CA 2" has a red X and says "This root certificate is not trusted".

What shows up in the Keychain column for that item?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So, I now have 3 of the DOD Root CA-2 certificates in my keychain. Here is what they look like...


http://perlguy.net/DoDRootCA2_03-09-2019.png


http://perlguy.net/DoDRootCA2_09-06-2019.png


http://perlguy.net/DoDRootCA2_12-05-2029.png


The latest one I downloaded & installed from a DoD site. So, they are either not signed by a known authority, or they are untrusted.


I really appreciate your help and hope that I can get this issue completely resolved.


Thank you,

Brent

So, I now have 3 of the DOD Root CA-2 certificates in my keychain.

Alas, you didn’t answer my earlier question: what shows up in the Keychain column for these items?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

login

login

login


?

Yeah, something weird is going on here. On a freshly installed macOS 10.12 machine here in my office the DoD Root CA 2 root certificate is in the System Roots keychain, where is where you’d expect to find built-in root certificates, and it’s marked as trusted. However, my day-to-day work machine is showing exactly the same state as you’re seeing: DoD Root CA 2 is in the login keychain and is thus untrusted. I suspect that there’s something broken in how the system roots are handled during an OS upgrade.

You should file a bug about this; please post your bug number, just for the record.

You should be able to work around this by dragging the DoD Root CA 2 to your System (not System Roots) keychain and then marking it as trusted, just like you’d trust any other root certificate.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Bug #29773794

Hello,


Did you ever get this resolved? It's 2017 and I have this issue. I have one DoD cert that's not trusted and two unverified; what do I do to resolve this? I have a related question and in could this be the reason I can't send an encrypted e-mail to a DoD authority (lock in grayed out in mail)? It seems like the certificate isn't assocaited to the address (contact).

In Big Sur, click on the certificate, then expand the section "Trust" and change the first option for All Choices to "Always Trust"