Updating the Certificate Trust Store on macOS
This is a work in progress, and discusses updating the Keychain certificate trust store on macOS 12 (Monterey) (per reports) and on macOS 13 (Ventura) to include Sectigo root and intermediate certificates, for websites using the newer Sectigo root certificates.
One such Sectigo-related website is Treasury Direct (treasurydirect.gov).
This sequence is less than robustly tested, and not all of this may be necessary.
Or phrased more succinctly, "works for me".
On macOS 12 or macOS 13, launch Keychain Access app from Applications > Utilities, and select the System keychain. This keychain will be where these certificates are loaded.
Using Safari, download the current Sectigo RSA Domain Validation Secure Server CA [ CA Bundle+ Cross Signed Certificates] from https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates and you'll (eventually) get a file downloaded as Sectigo RSA Domain Validation CA Bundle and you will want to use Finder to add the file extension .crt onto the file, and you can now use a quick look (and specifically the Quick Look feature available within the Keychain Access import picker) to show the contents of the selected entry as:
Similarly, download the current Root Sectigo Public Server Authentication Root R46 7/22/2025 from here:
You'll get a file Root Sectigo Public Server Authentication Root R46.crt, and a quick look (from within the Keychain Access import picker) will show the entry as:
Import the two files, using Keychain Access app.
You'll have two certificate entries shown:
You'll have to select the root (gold) entry, use Get Info, and manually trust it (select "always trust"), as it will initially load as untrusted (with a red ❌ showing untrusted), and you'll need to switch away from that display and then enter an admin password to commit the trust. Once trusted, you'll see a plus sign in a blue circle ⊕ overlaid.
This sequence above is reverse-engineered from an evening of rummaging the Sectigo website trying to figure out which certificates are needed on macOS 13, and this sequence might not accurately reflect your particular reality. Or this might not work for you.
Untrusted Personal Certificates and Mail :
It is also possible that a server certificate or a personal certificate may not pass checks. You can override that and mark the certificate as untrusted if you have verified it and trusting the certificate ismappropriate:
This too involves using Keychain Access to mark the certificate as being trusted.
Comments welcome, edits in progress, your mileage may vary, etc.