sébastienfromquebec

Q: Invalid Certificate on every secured website

Hi,

 

I've just updated to 10.7.4 with Safari 5.1.7 and after the update I'm always getting an Invalid Certificate for secured website.

 

www.paypal.com

every banking sites

etc

 

The content is not entirely loaded even if I click "continue".

 

I don't know if it related but I can't install any Extensions in Safari. I had ClickToFlash and 1Password and neither can be reinstalled after the update. I got a message telling me that the extension cannot be installed.

 

Thank you

MacBook Air, Mac OS X (10.7.4)

Posted on May 10, 2012 12:56 PM

Close

Q: Invalid Certificate on every secured website

  • All replies
  • Helpful answers

first Previous Page 5 of 10 last Next
  • by KevinMSD,

    KevinMSD KevinMSD May 29, 2012 2:20 PM in response to KevinMSD
    Level 1 (0 points)
    May 29, 2012 2:20 PM in response to KevinMSD

    here is the image....

  • by caj001,

    caj001 caj001 May 29, 2012 3:00 PM in response to KevinMSD
    Level 1 (0 points)
    May 29, 2012 3:00 PM in response to KevinMSD

    KevinMSD, I noticed that one also. There are many sites that I visit that have nothing to do with Facebook, but I will got several messages popping up regarding the Facebook security certificate.

     

    I scanned my system with Symantec Endpoint Protection just to make sure there is no trojan or virus activity. If so, the latest SEP and virus definitions can't find it.

  • by jbixler,

    jbixler jbixler May 29, 2012 4:09 PM in response to caj001
    Level 1 (12 points)
    iPad
    May 29, 2012 4:09 PM in response to caj001

    You guys are getting the message about Facebook because many sites allow you to either use Facebook's authentication system to create an account on that site, or they've got social sharing features on the site which allow you to post stuff directly to your Facebook wall.

  • by sfdiego,

    sfdiego sfdiego May 29, 2012 8:08 PM in response to jbixler
    Level 1 (0 points)
    May 29, 2012 8:08 PM in response to jbixler

    I noticed that my system wasn't trusting any certificates signed by Verisign. I downloaded this certificate from Verisign and imported it into Keychain Access, it solved the problem for me:

     

    http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem

     

    [ from here: http://www.verisign.com/support/roots.html ]

  • by Mardovar,

    Mardovar Mardovar May 30, 2012 8:47 AM in response to sébastienfromquebec
    Level 1 (0 points)
    May 30, 2012 8:47 AM in response to sébastienfromquebec

    With the latest updates, Safari is requesting the CRL (certificate revocation list) from the issuer of the certificate to validate the certificate. However, the request is made to without authentication and therefore the proxy rejects the request. The request is not reissued with credentials and the keychain process assumes the certificate is invalid because it cannot verity that the certificate is no on the revocation list. We have decided to add many of the certificate authorities to our list of sites that may be accessed via our proxy server without authentication and now Safari says that the certificates are valid. So far we have whitelisted verisign.com, thawte.com, godaddy.com, digigert.com and geotrust.com. For a US site, this seems to cover the majority of certificates we see.

     

    Apple should fix this problem and use the credentials in the keychaing for the crl web requests.

  • by Basti756,

    Basti756 Basti756 Jun 5, 2012 1:29 AM in response to Mardovar
    Level 1 (0 points)
    Jun 5, 2012 1:29 AM in response to Mardovar

    Add me (and my colleagues) to the list.

     

    Using a whitelist is a good idea but actually Apple should come up with a bugfix to solve this.

  • by KTor,

    KTor KTor Jun 8, 2012 12:57 AM in response to sébastienfromquebec
    Level 1 (0 points)
    Jun 8, 2012 12:57 AM in response to sébastienfromquebec

    I have the same issue with Google certificate on Safari, Chrome and Mail. Firefox is the only one that works right probably because it doesn't use the system certificates.

     

    Few weeks ago I had the same issue with Verisign certificates but it soved out by deleting the certificates from Keychain Access. I can't do the same with Google certificates because I can't find any Google certificate in Keychain.

     

    Does anyone has a solution for this?

  • by AtlantaPam,

    AtlantaPam AtlantaPam Jun 9, 2012 2:47 PM in response to Linc Davis
    Level 1 (4 points)
    Jun 9, 2012 2:47 PM in response to Linc Davis

    Thank you for your suggestion. I deleted the files crlcache.db and ocspache.db and I kept the window open. I just watched them reappear  under private/var/db/crls/

  • by antonyoung,

    antonyoung antonyoung Jun 9, 2012 4:40 PM in response to quickSti
    Level 1 (0 points)
    Jun 9, 2012 4:40 PM in response to quickSti

    Thank you quickSti! This finally solved the problem for me.

    quickSti wrote:

     

    I solved this on my wife's computer by resetting the security certificate settings.  This might help others:

    Close all windows.

     

    Keychain Access ->  click on System Roots on the left, and then click on Certifcates on the bottom left.

     

    Check to see if any of the certificates on the right have the blue "+" symbol - this means they have custom trust settings.

     

    There is a bug in changing the policies, so you'll have to change them via the method below.  Changing them just by changing the access to "system defaults" doesn't seem to save.  The method below worked for me.

     

    Double-click on each certificate with the custom setting (blue "+"), expand the section labled "trust".  Change the "Secure Sockets Layer (SSL)" setting to "no value specified".  Close window - you should be prompted for the password.  Double-click on the certificate again, expand trust, change the "When using this certificate" setting to "Use System Defaults".  Close window, and re-enter password.

     

    If you didn't re-enter your password upon closing the window, the setting didn't take.  The blue "+" should disappear after a few seconds when it's set back to default.  Once all of the certificates are changed back to default, restart Safari.

     

    This solved all of the problems for my wife's computer with these issues and OSX 10.7.4

  • by marc from white river junction,

    marc from white river junction marc from white river junction Jun 9, 2012 5:47 PM in response to quickSti
    Level 1 (0 points)
    Jun 9, 2012 5:47 PM in response to quickSti

    Just got around to trying this, worked perfectly - thank you!

  • by frazzm737,

    frazzm737 frazzm737 Jun 9, 2012 5:50 PM in response to antonyoung
    Level 3 (912 points)
    Mac OS X
    Jun 9, 2012 5:50 PM in response to antonyoung

    Thank you, anton young!  I just tried your tip.  I merely made the change to the verisign certificate that showed the blue+ sign and now I can finally access my credit card sites.  Most of the others in foreign languages I didn't mess with.  I have printed out your instructions in case I need to change any other certificates.  Thanks again--yours was the first suggestion that seemed to solve the problem easily.

  • by dean23,

    dean23 dean23 Jun 9, 2012 5:51 PM in response to sébastienfromquebec
    Level 1 (9 points)
    iPhone
    Jun 9, 2012 5:51 PM in response to sébastienfromquebec

    check to see if the date and time is correct as that can flag issues with certifcates.

  • by frazzm737,

    frazzm737 frazzm737 Jun 9, 2012 6:31 PM in response to dean23
    Level 3 (912 points)
    Mac OS X
    Jun 9, 2012 6:31 PM in response to dean23

    Date and time are correct--I can now access secure sites with Chrome and Safari, but not FF.  that must be due to some security setting within the browser. 

  • by frazzm737,

    frazzm737 frazzm737 Jun 9, 2012 10:03 PM in response to frazzm737
    Level 3 (912 points)
    Mac OS X
    Jun 9, 2012 10:03 PM in response to frazzm737

    I see that I erred when giving thanks for the solution which solved the problem.  My thanks go to quickSti!  I was so excited to find a solution that I overlooked the name of the original poster.  Thanks again-- this problem was driving me crazy.

  • by edfromarvada,

    edfromarvada edfromarvada Jun 10, 2012 5:29 PM in response to sébastienfromquebec
    Level 1 (0 points)
    Jun 10, 2012 5:29 PM in response to sébastienfromquebec

    Thank you quickSti, you solved my problem as well.  Apple senior tech finally got back with me and reported apple engineers had no answers as of yet so I gave him your thread that solved the problem. He was going to pass it on up to apple engineers in hopes that they could now solve the problem for everyone else with an update.

first Previous Page 5 of 10 last Next