To ensure that users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CA 2 or ECA Root CA 2, administrators should run the newly updated FBCA cross-certificate removal tool.

The tool will install the cross certificates into the Untrusted Certificate Store. The FBCA cross-certificate removal tool is available on the PKE website under the Tools section.

http://iase.disa.mil/pki-pke/function_pages/tools.html#validation