In order to use PKI, smart card authentication or DoD CAC (Common Access Cards) with Google Chrome in Linux you must first install the DoD root certificates. These certificates tell the system how to verify the trust certificate path of the CAC. They also allow your browser to trust the DoD certificates for websites using the root certs.

This has been tested on Fedora, CentOS and Red Hat.

First, we need to download the DoD root certificates from DISA. Go to:

NOTE: As of the time of writing the old website ( is no longer being updated.

Look for DoD PKI Only link and click it to download the zip file.

When the zip file download is complete, open a terminal and go to that directory and unzip the file.



Now cd (change directory) into the newly created directory.


cd Certificates_PKCS7_v5.0u1_DoD/

Now run the following command to import all of the p7b files into the trust store.

for n in *.p7b; do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done

Now all of the DoD root certificates in the DoD root chain are available to your system via the nss trust store. To check the status of the certs installed you can run the following command.

certutil -d sql:$HOME/.pki/nssdb/ -L


Once installed the DoD root certificates will allow you establish an encrypted connect with DoD sites. It is also necessary to have the DoD certificates installed if you are using the Common Access Card to access any DoD resources. Below you will find additional resources on how to use DoD CAC (Common Access Card) with Google Chrome and Firefox on Linux.

Resources and Link