DoD Certificate Setup
Prepare a DoD PKI root certificate for secure Ask Sage connections on DoD/DoW networks
About This Guide
Government users on DoD or DoW networks need a DoD PKI root certificate to establish trusted TLS connections to Ask Sage. This guide covers downloading and converting that certificate. Once you have the resulting .pem file, apply it in your specific tool's configuration—see the Claude Code and Codex integration guides for tool-specific setup steps.
Table of Contents
Instance-Specific Base URL: The endpoints and configuration shown reflect the instance at chat.asksage.ai. The api. prefix and path suffix stay the same across deployments — only the instance segment in the middle changes based on which Ask Sage instance you are logging into. Always use the instance approved by your organization and applicable regulatory requirements, and match the base URL in your configuration to the instance you authenticate against.
Prerequisites
DoD Certificate Configuration
.pem file can be reused across any Ask Sage integration that supports a custom CA certificate. Download DoD Certificates
- Navigate to DoD Cyber Exchange PKI/PKE
- Download "PKI CA Certificate Bundles: PKCS#7 for DoD PKI Only" (latest version)
- Extract the downloaded ZIP file (e.g.,
unclass-certificates_pkcs7_DoD.zip) - Locate the
.der.p7bfile (e.g.,Certificates_PKCS7_v5_14_DoD.der.p7b) - Save to a permanent location on your system
# Navigate to your certificate directory
cd /path/to/certificates
# Convert DER to PEM format
openssl pkcs7 \
-in Certificates_PKCS7_v5_14_DoD.der.p7b \
-inform DER \
-print_certs \
-out Certificates_PKCS7_v5_14_DoD.der.pemThis creates the .pem file you'll reference in your integration's configuration.
Reference the Certificate in Your Tool
Point your integration's CA certificate/root certificate setting at the .pem file you just created. The exact setting name varies by tool—see the Claude Code and Codex integration guides for the specific configuration keys and file locations.
https://api.genai.army.mil/server/) instead of the commercial endpoint—only the base URL changes. - Windows: Use forward slashes or escaped backslashes
C:/Users/username/certs/cert.pemorC:\\Users\\username\\certs\\cert.pem - Mac/Linux: Standard Unix paths
/Users/username/certs/cert.pem
Troubleshooting
SSL/TLS certificate validation failures
Solutions:
- Verify
.pemfile path is absolute and correct - Use forward slashes in paths (even on Windows)
- Ensure certificate conversion completed successfully
- Download the latest DoD certificate bundle
- Check file permissions (must be readable)
Additional Resources
- DoD Cyber Exchange PKI/PKE - Download the latest DoD certificate bundle
- Ask Sage API Documentation
- Claude Code Integration - Apply your certificate for terminal-based access
- Codex Integration - Apply your certificate for terminal-based access