Safari says certificate is invalid?

Starman,

Nope, didn't work. I've gone through all the help files for keychain access and followed your instructions to the letter, but safari still gives me the same warning.

Also, the X509 anchors listing "on the left in the keychains section" is missing. It was there last time I checked ( a few weeks ago) but was missing when I went to follow your tips.

The full URL for the site in question is: https://www.google.com/adsense/

The root and intermediate certs are ok (issued by Thawte SGC CA) but the last cert on the chain (leaf) shows: "thawte cert has an invalid issuer expires tue may 15 2007".

I'm thinking of resetting keychain access to factory default settings and starting fresh, or deleting the keychain and creating a new one.

Any ideas on what to do next?

Thanks

Ran first aid and it showed an error with my keychain lock settings so changed the settings to get a clean pass, and did. but that has nothing to do with the cert being accepted.

I've tried to access the adsense part of google from different directions (off a google search results page, bookmark, ect) thinking the url was the prob, no luck.

my safari insists the cert is invalid. (btw X509 was there, just had to hit the "show keychains" button at bottom of window, must be blind)

What I've tried so far:

Went through the X509 anchors and deleated all the invalid certs (many were out of date) plus all the google certs in anchors and my keychain login.

did a spotlight search for anything related to Thawte or google in keychain access and deleated anything that was invalid and checked that everything else is valid, and it is. (all certs now show as valid).

closed K-Access, cleared the cache, cookies, and history for safari closed it and rebooted.

reopened K-Access to make sure everything is still clean, it is, then closed it.

opened safari, went to adsense and got the same warning, checked the details, scrolled down and clicked the link for the .crt, went through the process to add the root cert to anchors and keychain login. rechecked for the invalid cert (it was there) removed it rebooted and still get the same warning.

if you can, do a spotlight search in K-Access for www.google.com and see what comes up. (if you went to the url I posted the cert should be on your machine)

a work around I found to avoid the warning is to set the preferances for cert acceptance to "best attempt", the cert still shows as invalid but I no longer get the warning.

At this point I'll give my brain a rest and try to trouble shoot this again later today.

If you come up with anything post back

Thanks

Eric,

Many Thanks, you confirmed my best guess as far as google/adsense is concerned.

One thing I don't quite understand is, if I set K-Access preferences/certificates to "Best Attempt" the cert in question shows as valid, though when pref's are set to "Require if Cert Indicates" it shows as invalid.

Must be the "www.google.com" cert (issued by Thawte SCG CA) doesn't meet the higher trust settings for some reason, (like you said the cert may be bad).

I took a very close look at the details for that cert and compared it to other certs from Thawte and everything seems to be in order. I've added it to X509 anchors and left the pref's set to "best attempt" for now.

I'll probably play around with the settings later but for now I'll leave well enough alone. I'll leave this post open for a while to see if anyone has an idea, but I think my question has been answered.

Thanks