How to Install DoD Certificates on macOS Sequoia (Step-by-Step)

in Mac Tips 9 min read

How to Install DoD Certificates on macOS Sequoia (Step-by-Step)

DoD certificates on macOS have gotten complicated with all the outdated guides flying around. As someone who manages a small fleet of contractor Macs where CAC access is non-negotiable, I learned everything there is to know about this process the hard way. Every major Apple release breaks something — Sequoia broke a few specific things I’ll get into below. What follows is what actually worked on 15.x machines, not what the theory says should work.

Download the Current DoD Root Certificates

The official source is the DISA PKE portal. The stable URL is public.cyber.mil/pki-pke/tools-configuration-files/ — look for the “PKI CA Certificate Bundles” section. Don’t just grab the first thing you see. There are multiple bundles, and grabbing the wrong one is exactly how you waste forty-five minutes importing certificates that don’t cover the sites you actually need.

The bundle you want is labeled something like PKI CA Certificate Bundle (PKCS#7), or the ZIP containing individual PEM/DER files. As of early 2026, the filename usually follows a pattern like certificates_pkcs7_DoD.zip. Download size runs under 5 MB. Save it somewhere deliberate — I use ~/Documents/CAC_Certs so it doesn’t vanish into the Downloads folder graveyard.

Once unzipped, you’ll find files with extensions like .cer, .p7b, or .pem. macOS handles all three. A typical bundle includes:

  • DoD Root CA 2 through DoD Root CA 6 (and newer ones as DISA adds them)
  • DoD Intermediate CA certificates covering email, identity, and software signing
  • JITC (Joint Interoperability Test Command) certificates in some bundles

Read the README file if there is one. Seriously. One time I skipped it and spent an afternoon importing an outdated bundle that had been sitting in my Downloads folder from eight months prior. Don’t make my mistake.

Import Certificates into Keychain

Here’s where Sequoia diverges from older guides. Keychain Access still exists — hasn’t been replaced yet — but certificate trust behavior has gotten noticeably stricter.

System Keychain vs Login Keychain — Why It Matters

But what is the difference here? In essence, it’s about scope. But it’s much more than that. Import into the wrong keychain and you’ll spend an hour wondering why Safari keeps throwing certificate errors.

The System Keychain is what you want. Certificates there are trusted machine-wide — every user account, every system-level process. The Login Keychain covers only your current session. Other users on the machine won’t benefit, and certain background processes won’t see those certificates at all. That’s what makes the System Keychain the right choice for anyone supporting multiple contractors on shared hardware.

Open Keychain Access — Applications > Utilities, or just Spotlight it. In the left sidebar under “Keychains,” click System. Non-admin users will get password prompts repeatedly throughout this process. Annoying, honestly, but normal.

The Import Process Step by Step

  1. With System selected in the left sidebar, go to File > Import Items.
  2. Navigate to your unzipped certificate folder.
  3. Select all the .cer files — Command-click for multiples, or Command-A if the folder holds only certificate files.
  4. Click Open. Enter your administrator password when prompted.
  5. The certificates will appear in the System keychain. They’ll show a red X or white circle icon — expected at this stage. Trust comes next.

Burned by this once: if you double-click a certificate from Finder instead of using File > Import Items while System is selected, macOS silently defaults to the Login keychain. You’ll see the cert is there and have no idea why nothing works. Always check which keychain column the certificate appears under before moving on.

For .p7b files — the PKCS#7 bundles — same process applies. One .p7b can contain a dozen certificates bundled together, so a single import might add a lot of entries at once.

Trust Settings for Each Certificate

Probably should have opened with this section, honestly. This is where most people get stuck. macOS does not automatically trust imported certificates — not even close. Every root CA will sit in Keychain with a red X labeled “Not Trusted” until you change it manually.

Setting Trust for SSL and X.509

For each DoD Root CA in the System keychain:

  1. Double-click the certificate to open its detail window.
  2. Click the Trust disclosure triangle.
  3. Set When using this certificate to Always Trust — that’s the top dropdown, labeled “Secure Sockets Layer (SSL).”
  4. Set X.509 Basic Policy to Always Trust as well.
  5. Close the window. Enter your password when macOS asks.
  6. The icon should change to a blue circle with a white plus — that’s the trusted indicator.

Apple maintains its own list of trusted root CAs — the macOS Trust Store — and DoD roots simply aren’t on it. They’re government-specific certificates inside a closed PKI ecosystem. Apple has no obligation to include them, and apparently they’ve decided they won’t. So every DoD certificate is a manual trust operation. Every single one.

At minimum, trust the Root CAs — DoD Root CA 3, 4, 5, 6, and any newer ones in the bundle. For intermediate CAs, behavior is slightly different: a trusted root should let certificates it signed chain up correctly. In practice on Sequoia, I’ve found explicitly trusting the intermediates too prevents a whole class of errors where Safari validates the chain differently than expected. Ten extra minutes — worth it.

A Note on the “Use System Defaults” Option

You’ll see a “Use System Defaults” option in the Trust section. Leave it alone for DoD certs. That defers trust to Apple’s trust store — which, as just established, doesn’t include DoD roots. Always Trust is what you need.

Verify Installation

Don’t assume the import worked. Test it directly.

Testing with a DoD Website

Open Safari and hit a DoD site that uses DoD-issued certificates. Good test targets:

  • militaryonesource.mil
  • myaccess.dmdc.osd.mil
  • iam.nga.mil (if you have access)

Page loads without a certificate warning — no red padlock, no “This connection is not private” screen — and you’re good. If warnings persist, click the lock icon and look at the certificate chain details. Safari will show you exactly which certificate is failing trust evaluation. That tells you which specific cert you either missed importing or forgot to set to Always Trust.

Checking Keychain Access Directly

Back in Keychain Access, System keychain selected, search for “DoD” in the top-right search bar. All imported DoD certificates should appear — blue circle with a plus means trusted, red X means not trusted. Go back and set trust again for any showing red.

Filtering by “Certificates” in the Category list at bottom-left cleans up the view considerably when you’re scanning a long list.

Troubleshooting After macOS Updates

Frustrated by the third time a point release silently broke CAC access on a contractor’s MacBook Pro 14-inch — M3 Pro, for what it’s worth — I started keeping a written post-update checklist. Here’s what that experience taught me.

What Updates Actually Break

Point releases — 15.1, 15.2, 15.3 — sometimes reset trust settings for System keychain certificates. Not always. Not predictably. Often enough, though, that the first thing to check after an update breaks DoD site access is whether trust flags on your root certificates got quietly flipped back to “Use System Defaults.”

Major version upgrades are more aggressive. Moving from Sonoma 14.x to Sequoia 15.0, for example — some machines came through with certificates wiped entirely from the System keychain. That’s the scenario where you start the full import process from scratch.

The Re-Verification Checklist

  1. Open Keychain Access, select System keychain, search “DoD.”
  2. Confirm all expected root CA certificates are present. I keep a plain text file listing them by name and expiration date — compare against that.
  3. Check each Root CA’s trust status. Blue plus is good. Red X means double-click and reset to Always Trust.
  4. Test a DoD website in Safari — fresh window, not a cached session.
  5. If Safari passes but another app still fails — Outlook, Chrome, some government web app — check whether that app uses the system keychain or its own certificate store. Chrome on macOS does use the system keychain. Some enterprise apps bundle their own trust evaluation entirely.

One Edge Case Worth Knowing

On Apple Silicon Macs running Sequoia, MDM (Mobile Device Management) profiles add a wrinkle. MDM-pushed certificates can conflict with manually imported ones if the same certificate ends up installed twice — once via MDM, once manually. The symptom is a certificate appearing twice in Keychain with different trust states. Delete the manually imported duplicate and let the MDM-managed version be authoritative. Not on MDM? This isn’t your problem.

One last thing — and this one catches people off guard — certificate expiration. DoD root CAs cycle out on a multi-year schedule. If you imported certificates in 2023 or 2024 and haven’t refreshed, some may be expired or superseded by now. I go back to the DISA PKE portal every January, download the current bundle, compare it against what’s in my System keychain, and add anything new. That fifteen-minute annual refresh has saved me from at least two incidents that would have taken hours to diagnose cold.

David Chen

David Chen

Author & Expert

Jason Michael, a U.S. Air Force C-17 pilot, is the editor of Apple Mac in Government. Articles covering military life, benefits, and service-member topics are researched, fact-checked, and reviewed before publication. Read our editorial standards or send a correction at the editorial policy page.

64 Articles
View All Posts

You Might Also Like

Stay in the loop

Get the latest apple mac in government updates delivered to your inbox.