Invalid Certificate on every secured website

This problem seems to be a little more insedious than just ocspd not being able to validate from behind a proxy. I've seen such problems even when I'm not behind the proxy.

Even worse it broke certificate based logins to our Cisco VPN since my certificate was issued by an intermediary CA which was suddenly listed as invalid. Even when I tried forcing every certificate in the chain as trusted (in both the login and System keychains), turned off the sane options of using OCSP and CRL in Keychain Access.app it still wouldn't work.

Then I relaized that the daemons used to create the VPN run as the root user.

I had to enable and login to the root user. From there set in Keychain Access.app all of the needed certificates as trusted in the System keychain for the root account.

Now it all seems to function (mostly). There is still the problem of some certificates being marked as having an invalid key length as mentioned by another poster in the thread.

I hope Apple gets this sorted out ASAP.

I hope even more that I'll remember to bring my system back into a sane state after the fix.

did apple have any suggestions as to what to do. At this point I'm suspecting that the Lion upgrade has made handling proxies more strict and some proxies are failing. If I could accurately describe this to our internal IT folks I mght have a chance of getting close to a fix.

Anything Apple said might be interesting.

Yes, but what about those of us who are not behind proxies who are experiencing the same problems?

My bug report has been closed as a duplicate of 11232763, so Apple is aware of the problem.

So, I went into my local Apple Store yesterday with this thread and my laptop to see if they had any ideas. The 'genius' hadn't encountered this problem with anyone else and because we couldn't recreate it at the Store (because no proxy), he offered to install a bug tracker that would log all errors and then I could take the laptop back in and he could escalate it to engineering. However, for a variety of other reasons, I do not have the patience or time to go through this and so asked him to roll it back to 10.7.3 and I won't update for a while.

So, I'm afraid no solution, however, if someone has the time and patience, it does sound like there will be the option to get it looked at in detail.

Sorry I couldn't be of more help guys.

Can you post your ug report to openradar so I can dup it?

It is just INCREDIBLE ! Since I update from 10.7.3 to 10.7.4 I m running through major network problems including network configuration which is not saved correctly (e.g., credentials for proxy go back to blank once I close the window to set them). It keeps asking me for certificates all the times, smtp server connection is completely lost (in Mail application) all my extensions in Safari have been uninstalled without my approval.

Anyway ! I bought a Mac because I know that I can rely on it all the time. But having such updates with those kind of bugs afterward I would rather stay on linux.

So please Apple, do something and quick.

We were able to find a fix for this. We disabled Online Certificate Status Protocal in Keychain Access's Preferences.

It didn't work for me either, now restoring to 10.7.3 from Time Machine.

The only way I reliably got these intermediary CA certs to function was to force them as trusted via Keychain Access run under the root account. Otherwise System daemons which use the certs will balk.

http://openradar.appspot.com/radar?id=1720406

Try tunring both OCSP and CRL off.

turned off both option in key chain preferences.

rebooted.

no change in behavior. Still getting error accessing https sites.

grrrrrrrrrrrrrr.