9 Replies
      Latest reply: Jun 27, 2017 2:13 AM by jel888 RSS
      perlguy Level 1 Level 1 (0 points)

        The DoD Root CA 2 is included in "Lists of available trusted root certificates in macOS" https://support.apple.com/en-us/HT202858

        and also in iOS.

         

        When I go to my keychain, it shows "This root certificate is not trusted" for this cert.

         

        Why is this and how can it be fixed?

         

        Thanks!

        • Re: DoD Root CA 2 Not Trusted
          eskimo Apple Staff Apple Staff (6,765 points)

          What do you mean by “my keychain”.  When I open Keychain Utility in a vanilla macOS 10.12, I see the DoD Root CA 2 listed in the System Roots keychain, and flagged as trusted there.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: DoD Root CA 2 Not Trusted
              perlguy Level 1 Level 1 (0 points)

              On my MacBook Pro and on my iMac (Both running MacOS - but have been upgraded from previous OSX versions),  when I open the Keychain Utility

               

              The "DoD Root CA 2" has a red X and says "This root certificate is not trusted".

               

              I am trying to figure out:

              1. Why it says that it is not trusted?
              2. What do I need to do to get the "trusted" version back?

               

              Thank you

                • Re: DoD Root CA 2 Not Trusted
                  eskimo Apple Staff Apple Staff (6,765 points)

                  when I open the Keychain Utility

                  The "DoD Root CA 2" has a red X and says "This root certificate is not trusted".

                  What shows up in the Keychain column for that item?

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: DoD Root CA 2 Not Trusted
                      perlguy Level 1 Level 1 (0 points)

                      So, I now have 3 of the DOD Root CA-2 certificates in my keychain.  Here is what they look like...

                       

                      http://perlguy.net/DoDRootCA2_03-09-2019.png

                       

                      http://perlguy.net/DoDRootCA2_09-06-2019.png

                       

                      http://perlguy.net/DoDRootCA2_12-05-2029.png

                       

                      The latest one I downloaded & installed from a DoD site.  So, they are either not signed by a known authority, or they are untrusted.

                       

                      I really appreciate your help and hope that I can get this issue completely resolved.

                       

                      Thank you,

                      Brent

                        • Re: DoD Root CA 2 Not Trusted
                          eskimo Apple Staff Apple Staff (6,765 points)

                          So, I now have 3 of the DOD Root CA-2 certificates in my keychain.

                          Alas, you didn’t answer my earlier question: what shows up in the Keychain column for these items?

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: DoD Root CA 2 Not Trusted
                              perlguy Level 1 Level 1 (0 points)

                              login

                              login

                              login

                               

                              ?

                                • Re: DoD Root CA 2 Not Trusted
                                  eskimo Apple Staff Apple Staff (6,765 points)

                                  Yeah, something weird is going on here.  On a freshly installed macOS 10.12 machine here in my office the DoD Root CA 2 root certificate is in the System Roots keychain, where is where you’d expect to find built-in root certificates, and it’s marked as trusted.  However, my day-to-day work machine is showing exactly the same state as you’re seeing: DoD Root CA 2 is in the login keychain and is thus untrusted.  I suspect that there’s something broken in how the system roots are handled during an OS upgrade.

                                  You should file a bug about this; please post your bug number, just for the record.

                                  You should be able to work around this by dragging the DoD Root CA 2 to your System (not System Roots) keychain and then marking it as trusted, just like you’d trust any other root certificate.

                                  Share and Enjoy

                                  Quinn “The Eskimo!”
                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                  let myEmail = "eskimo" + "1" + "@apple.com"

                              • Re: DoD Root CA 2 Not Trusted
                                jel888 Level 1 Level 1 (0 points)

                                Hello,

                                 

                                Did you ever get this resolved?  It's 2017 and I have this issue.  I have one DoD cert that's not trusted and two unverified; what do I do to resolve this?  I have a related question and in could this be the reason I can't send an encrypted e-mail to a DoD authority (lock in grayed out in mail)?  It seems like the certificate isn't assocaited to the address (contact).