Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Joericci
Joericci Author
User level: Level 1
6 points

I can't open certain websites on my MacBook air. I say's this connection not private.

I can't open certain websites on my MacBook air. I say's this connection not private.

Posted on Sep 30, 2021 1:29 PM

Reply
Question marked as Best reply
User profile for user: benjaminfromsilkeborg
benjaminfromsilkeborg
User level: Level 1
11 points

Posted on Oct 1, 2021 12:37 PM

The issue is related to the DST Root X3 certificate has expired as of September 30. 2021. But there is a solution!


Two solutions:

  1. Update your Mac to the newest available OS (10.12 or later)
  2. Update the certificate in keychain.


The easiest way to do this is to transfer your System Root certificates from another Mac to which you have access that runs a more modern version of macOS.

  1. First find the more modern Mac with a working set of System Root certificates (i.e. that can access the problematic web sites)
  2. On that Mac, launch Keychain Access, select "System Roots", select all the certificates, select File->Export, and export them as rootcerts.pem file. This file will contain all the certificates concatenated.
  3. Copy the rootcerts.pem file to your antique mac
  4. Make the trustroot shell script below, e.g. by copying it into a file, then using chmod 755 trustroot
  5. Run sudo ./trustroot rootcerts.pem
#!/bin/bash
DIR=${TMPDIR}/trustroot.$$
mkdir -p ${DIR}
trap "rm -rf ${DIR}" EXIT
cat "$1" | (cd $DIR && split -p '-----BEGIN CERTIFICATE-----' - cert- )
for c in ${DIR}/cert-* ; do
   security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$c"
done
rm -rf ${DIR}

What the script does is splits the .pem file into a number of certificates in the temporary directory concerned, then adds them as trustRoot certificates to the System key chain; they will then operate as trusted roots in addition to the certificates in the original "System Roots" keychain. In case you were wondering, you cannot add them to the System Roots keychain as that can only be updated by the operating system.

Note this copies over the first group of certificates ("Trusted Certificates" in the question), but not the second nor the third.


Source: https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi

View in context

Similar questions

10 replies
Question marked as Best reply
User profile for user: benjaminfromsilkeborg
benjaminfromsilkeborg
User level: Level 1
11 points

Oct 1, 2021 12:37 PM in response to Joericci

The issue is related to the DST Root X3 certificate has expired as of September 30. 2021. But there is a solution!


Two solutions:

  1. Update your Mac to the newest available OS (10.12 or later)
  2. Update the certificate in keychain.


The easiest way to do this is to transfer your System Root certificates from another Mac to which you have access that runs a more modern version of macOS.

  1. First find the more modern Mac with a working set of System Root certificates (i.e. that can access the problematic web sites)
  2. On that Mac, launch Keychain Access, select "System Roots", select all the certificates, select File->Export, and export them as rootcerts.pem file. This file will contain all the certificates concatenated.
  3. Copy the rootcerts.pem file to your antique mac
  4. Make the trustroot shell script below, e.g. by copying it into a file, then using chmod 755 trustroot
  5. Run sudo ./trustroot rootcerts.pem
#!/bin/bash
DIR=${TMPDIR}/trustroot.$$
mkdir -p ${DIR}
trap "rm -rf ${DIR}" EXIT
cat "$1" | (cd $DIR && split -p '-----BEGIN CERTIFICATE-----' - cert- )
for c in ${DIR}/cert-* ; do
   security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$c"
done
rm -rf ${DIR}

What the script does is splits the .pem file into a number of certificates in the temporary directory concerned, then adds them as trustRoot certificates to the System key chain; they will then operate as trusted roots in addition to the certificates in the original "System Roots" keychain. In case you were wondering, you cannot add them to the System Roots keychain as that can only be updated by the operating system.

Note this copies over the first group of certificates ("Trusted Certificates" in the question), but not the second nor the third.


Source: https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi

Reply
User profile for user: smnnms
smnnms
User level: Level 1
7 points

Oct 10, 2021 12:55 PM in response to Joericci

In case anyone is still affected, Firefox works fine, or to fix in Safari:

  1. open your keychain and locate the certificate under System Roots > Certificates called "DST Root CA X3"
  2. double click and select Trust: When using this certificate: Always Trust
  3. Close and enter system password


then when you visit an affected website the certificate will update in the browser to the correct/newer one "ISRG Root X1".

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
117,223 points

Sep 30, 2021 7:47 PM in response to darkstar2002

darkstar2002 wrote:

I am also having problems with websites and facebook games... I have an older, 2009 iMac.... what can/should I do to fix this? There is nothing to update. Thanks.


These directions should get the certificate chain updated on a Mac running 10.11 or older:


https://mjtsai.com/blog/2021/09/24/some-web-sites-will-stop-working-with-el-capitan-and-older/#comment-3538503

Reply

I can't open certain websites on my MacBook air. I say's this connection not private.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up