User profile for user: ivar v
ivar v Author
User level: Level 1
25 points

Apple system applications (Appstore, iTunes, iCloud,etc.) inaccessible after 10.11.0 upgrade (untrusted certificate)

Apple's Appstore, Safari and iTunes applications (in addition to several third party apps like Chrome) are unable to connect to Apple due to a certificate issue. This issue started immediately following the upgrade to osx 10.11.0, El Capitain. After poking around various forums I have found similar but not identical issues, but it did lead me to look into the Keychain Access app and it appears my computer no longer trusts Verisign(?) as a certificate authority - which is what Apple uses. I'm doubtful that I'm being hacked, but I don't want to compromise my security. What should I do to restore my computer to being functional? How did this happen?

User uploaded file


Edit: I found the List of available trusted root certificates in OS X El Capitan - Apple Support and none of certificates in the chain presented by Safari are included in the list of approved certificates listed in the tech support document that I linked. Is Apple serving up an old and busted certificate? Why does Firefox accept the certificate?


Message was edited by: ivar v Added link to trusted certs at bottom.

MacBook Pro (15-inch Mid 2012), OS X El Capitan (10.11), null

Posted on Sep 30, 2015 7:27 PM

Reply
6 replies
User profile for user: ivar v
ivar v Author
User level: Level 1
25 points

Oct 1, 2015 11:26 AM in response to ivar v

There are a few other threads that are trying to deal with this issue. So far 'after upgrade ssl certificates not valid seems the most promising, it links to iTunes and App Store broken after recent update which recommends following the suggestion at http://apple.stackexchange.com/questions/180570/invalid-certificate-after-securi ty-update-2015-004-in-mavericks as a solution to our problem with El Capitain.


The discussion and solution looks to be here - app store unavailable following security update 2015-004 (Mavericks).

I've tried following the proposed solution (despite being hesitant to delete certificates) but I found that even after entering my password as an administrator, Keychain would not allow me to delete the certs. I'd guess that this is due to updated permissions on 10.11. Can someone help confirm that this line of investigation is on the right track? Has anyone who had this certificate issue solved it?

Reply
User profile for user: ivar v
ivar v Author
User level: Level 1
25 points

Oct 2, 2015 8:34 AM in response to ivar v

Ok, it appears the solution (for me at least) was to open up the 'Keychain Access' app and from the 'login' keychain (top left corner) delete all the certificates on the apple.com domain (after exporting them as a backup). When your Safari / Appstore / icloud tries to connect again it will fetch new certificates and validate them, instead of checking against existings ones.

Reply
User profile for user: lindytalbot
lindytalbot
User level: Level 1
1 points

Oct 2, 2015 8:38 AM in response to ivar v

THIS (referenced above) was the solution for me (deleting Verisign certificates.)


But I also found that shutdown/restart was critical; after deleting the Verisign certificates, I couldn't sign in to App Store or iTunes (beach ball). I thought it might be an iCould thing so went to System Preferences to see...and System Preferences would not open. Aargh! Force quit all the hanging programs and did a restart.


All is well now.


Thanks, team, for the support here.

Reply
User profile for user: murrayE
murrayE
User level: Level 1
84 points

Oct 23, 2015 8:03 AM in response to ivar v

Keychain Access won't allow me to export the com.apple.* keys from the login keychain (before I delete them, as recommended to fix the iTunes problem,).


Here's what I'm doing once Keychain Access is open:

  1. click the login item at top of Keychains pane.
  2. Select all the com.apple.* items.
  3. From File menu select Export Items, select default "Certificates.p12" and select Desktop as target, click Save.
  4. In the resulting pop-up dialog I enter and verify a password to protect the exported items, then click OK there.
  5. In the new pop-up window 'Keychain Access.app wants to export key "Apple ID Authentication...." from your keychain. To allow this, enter the "login" keychain password. I type my login keychain password, clicking Allow.
  6. Nothing happens. (I even tried clicking Always Allow. Still that last pop-up window just stays there and the export doesn't happen.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Apple system applications (Appstore, iTunes, iCloud,etc.) inaccessible after 10.11.0 upgrade (untrusted certificate)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up