app store unavailable following security update 2015-004 (Mavericks)

I had this issue recently when my clock was behind a couple of months. (It was an older laptop I hadn't used for "a while.") Switching to Firefox told me that the certificate start date was in the future. Opening Time & Date Preferences updated the clock and the issue resolved.

This could be a complicated problem to solve, as there are several possible causes for it.

Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.

Step 1

From the menu bar, select

 ▹ System Preferences... ▹ Date & Time

Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.

Check the box marked

Set date and time automatically

if it's not already checked, and select one of the Apple time servers from the menu next to it.

Step 2

Start up in safe mode and log in to the account with the problem.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.

Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.

The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.

If the problem is not reproducible in safe mode, then it's caused by third-party "anti-virus" or "security" software. If you know what that software is, remove it as directed by the developer after backing up all data. If you don't know what it is, ask for instructions.

Step 3

Triple-click anywhere in the line below on this page to select it:

/System/Library/Keychains/SystemCACertificates.keychain

Right-click or control-click the highlighted line and select

Services ▹ Show Info

from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.

Repeat with this line:

/System/Library/Keychains/SystemRootCertificates.keychain

If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.

Step 4

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.

In the Keychains list, there should be items named System and System Roots. If not, select

File ▹ Add Keychain

from the menu bar and add the following items:

/Library/Keychains/System.keychain

/System/Library/Keychains/SystemRootCertificates.keychain

Open the View menu in the menu bar. If one of the items in the menu is

Show Expired Certificates

select it. Otherwise it will show

Hide Expired Certificates

which is what you want.

From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled

Secure Sockets Layer (SSL)

select

no value specified

Close the inspection window. You'll be prompted for your administrator password to update the settings.

Now open the same inspection window again, and select

When using this certificate: Use System Defaults

Save the change in the same way as before.

Revert all the certificates with non-default trust settings. Never again change any of those settings.

Step 5

Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.

Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select

Help ▹ Keychain Access Help

from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.

Step 6

From the menu bar, select

Keychain Access ▹ Preferences... ▹ Certificates

There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.

Step 7

Triple-click anywhere in the line of text below on this page to select it:

/var/db/crls

Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.

Restart the computer, empty the Trash, and test.

Step 8

Triple-click anywhere in the line below on this page to select it:

open -e /etc/hosts

Copy the selected text to the Clipboard by pressing the key combination command-C.

Launch the built-in Terminal application in the same way you launched Keychain Access.

Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost

If that's not what you see, post the contents of the window.

Same symptoms as OP, occurring after installing Security Update 2015-004 for Mavericks . None of the above steps worked, I had no certificates with the blue icon in my keychain.

My /etc/hosts has:

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

so one extra line from your post.

I could attempt to upgrade to Yosemite from a USB boot installer I have, but I wonder if that will fix this problem.

I solved this problem by deleting all VeriSign certificates in my login keychain.

I did not touch any certificates in the System Roots keychain.

I exported the 4 certs there first of course, but App Store and iTunes connected and work properly without them in my login keychain.

Good luck,

Ohmi

You don't need to revert anything. The solution was Step 5 in my instructions.

I'm belaboring this point so that others who may find this thread won't be confused. In Step 5, you were to delete the invalid certificates first, then export and delete all remaining certificates in the default keychain.

Thanks. I exported VeriSign Class 3 Public Primary Certification Authority - G5.cer from my Keychain login, and then deleted this certificate. I was able to access the App Store after this, and I was also able to start iTunes without getting the certificate error message.

Re: app store unavailable following security update 2015-004 (Mavericks)

Linc Davis,Hi dltd

I need your help.I have iMac 21" OS X version 10.9.5,Pro:3.1Ghz intel Core i7,16 GB. I have problem same like Ohmiap,Jorgfromfra.Has been 2 weeks happen to me App Store mess up,I check and try every single question and answer at forum community but still not solve it.I read yesterday and I did your steps 1-7 today twice but not yet solve it.I don't have idea,How to exsport and deleted VeriSign Class 3 Public Primary certification Authority-5.Thank you so much.

I can confirm the problem as well as the solution.

OS X 10.8.5. After installing Security Update 2015-004, I couldn't browse to any website using the root certificate "VeriSign Class 3 Public Primary Certification Authority - G5" without a security warning ("invalid certificate"). I'm using Chrome and Safari, both of which rely on the OS for the list of trusted root CAs.

I had such an entry in my Login certificates list; removing it resolved the conflict and solved the problem.

I can add to the discussion that while the certificates` names matched, their serial numbers didn't. The correct one (and updated one from Apple) starts with 18 DA, while the wrong one starts with 25 0C. Apple's release notes confirm that this update updated the certificate trust policy, and the correct serial number for the certificate.

I'm still wondering why many of us had this wrong(?) certificate in our Login Keychain. Had we all trusted a hacker's forget certificate at some point? I find it hard to believe (and also a bit scary), perhaps Linc would be able to offer a more reasonable explanation.

PS: Firefox is unaffected because unlike Chrome and Safari, it uses its own list of trusted CAs and not the OS's.

Taruna Utama: all you say about your problem is "App Store mess up" [sic]. How do you know it's the same problem described in this thread? My hunch is that it's not. A closer look at the Console logs would reveal more.

Hi. From Keychain Access, select login in the Keycahins area of the left sidebar. From the list of certificates displayed, right click on the desired certificate, select the Export option, and then specify the destination location.

You can right click on the desired certificate, and then select the Delete option.

Genius! Deleting the Verisign certificates, all four of has worked perfectly. I can now sign in to FaceTime, App Store, iTunes and IMessage again. Thank you!!!

Security Update 2015-004 broke VeriSign SSL certificates system wide