Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Can't open HTTPS sites on Mac

Hello there, I'm using a MacBook Pro mid 2012 and my Safari stopped to load HTTPS pages and it says that it can't establish a secure connection. After about two hours looking for some answers, I think I found something, I need two certificates and both have "x509" in their names. Can someone help me to solve this HTTPS problem? I think the certificates are the right way to solve it, but I'm not sure.

I'm running the last update of MacOSX Yosemite.

MacBook Pro, OS X Yosemite (10.10.3)

Posted on Apr 27, 2015 8:30 PM

Reply
5 replies

Feb 2, 2017 4:06 AM in response to Linc Davis

Hey, I had this problem, I could not link to any https sites from a particular server. All the websites my partner works on.

I got through to Step 7 before resolving it.

I didn't find any certificates with non-default trust settings

I didn't export each certificate, there were way too many. I only exported about 10, it did not allow me to delete any certificates in the system root list, I did not reimport them, so maybe this didn't do anything. What did do something was when I did Step 7, deleting the contents of the CRL folder.

Thank You!

Apr 27, 2015 9:07 PM in response to Hugo from Brazil

This could be a complicated problem to solve, as there are several possible causes for it.

Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.

Step 1

From the menu bar, select

 ▹ System Preferences... ▹ Date & Time

Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.

Check the box marked

Set date and time automatically

if it's not already checked, and select one of the Apple time servers from the menu next to it.

Step 2

Start up in safe mode and log in to the account with the problem.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.

Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.

The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.

If the problem is not reproducible in safe mode, then it's caused by third-party "anti-virus" or "security" software. If you know what that software is, remove it as directed by the developer after backing up all data. If you don't know what it is, ask for instructions.

Step 3


Triple-click anywhere in the line below on this page to select it:

/System/Library/Keychains/SystemCACertificates.keychain

Right-click or control-click the highlighted line and select

Services Show Info

from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.

Repeat with this line:

/System/Library/Keychains/SystemRootCertificates.keychain

If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.

Step 4

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.

In the Keychains list, there should be items named System and System Roots. If not, select

File Add Keychain

from the menu bar and add the following items:

/Library/Keychains/System.keychain

/System/Library/Keychains/SystemRootCertificates.keychain

Open the View menu in the menu bar. If one of the items in the menu is

Show Expired Certificates

select it. Otherwise it will show

Hide Expired Certificates

which is what you want.

From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled

Secure Sockets Layer (SSL)

select

no value specified

Close the inspection window. You'll be prompted for your administrator password to update the settings.

Now open the same inspection window again, and select

When using this certificate: Use System Defaults

Save the change in the same way as before.

Revert all the certificates with non-default trust settings. Never again change any of those settings.

Step 5

Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.

Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select

Help Keychain Access Help

from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.

Step 6

From the menu bar, select

Keychain Access Preferences... Certificates

There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.

Step 7

Triple-click anywhere in the line of text below on this page to select it:

/var/db/crls

Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.

Restart the computer, empty the Trash, and test.

Step 8

Triple-click anywhere in the line below on this page to select it:

open -e /etc/hosts

Copy the selected text to the Clipboard by pressing the key combination command-C.

Launch the built-in Terminal application in the same way you launched Keychain Access.

Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost

If that's not what you see, post the contents of the window.

Can't open HTTPS sites on Mac

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.