Safari in High Sierra refuses connection to website with expired certificate

I tried to get the certificate imported using the keychain in terminal, but I came to find out that the import to the keychain wasn't the issue at all. I deleted all the certificates for a particular site and visited it again. It asked me to visit the site anyway, which prompted for my keychain password. I put it in and verified it was now in my keychain. It then went right back to the website blocked message. Rinse and repeat. However, once in the keychain, I found that you can open the certificate and expand a section for Trust. I changed it to Always Trust. Then, the website let me in!

go to you keychain and find the certificate. Highlight it and click on the "i" at the bottom of the screen. Then expand the "trust" area and select "always trust" - when using this cert. It worked for me. As a network admin, I access lots of https resources that do not have "proper" certificates registered and therefore are blocked.

Safari no longer loops preventing me from visiting the router admin page. Upon receiving the error that the connection is not private, I attempted to visit the page anyway. I was prompted for admin credentials, and this adds the self-signed cert into my Keychain.

Open the self-signed certificate in Keychain Access, and expand "Trust" section. Then change "when using this certificate" from 'custom' to 'always trust'. Before I made the change, it was always trusting the SSL, but none of the other options.

If you have an admin account on your machine, your best bet is to import the cert using terminal, then use Keychain to modify the properties so your machine trusts it. If the cert is expired, I don't believe you can import the cert using the Keychain app.

Something like this put the cert into my login keychain (Google's your friend: "Import Cert Keychain Terminal"):

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <certificate>

You could always use another browser... Chrome comes to mind.

I don't have High Sierra to test with, but with Safari 11 on 10.12.6, I can drag an expired certificate from the info window to the desktop, then double-click it, opening Keychain Access & adding it to the login keychain.

Once there, it can be opened & given an 'Always trust' setting. That stops any warnings for Safari when tested with https://expired.badssl.com

You need to click & drag on the certificate icon when viewing the details in Safari.

Oh, that's odd. I can both double-click it, and drag straight to the login keychain... there must be some way of adding car's in High Sierra. Does a valid one work ?. Anything in Keychain Access preferences that would affect it ?.

Otherwise, use Certificate Assistant to create a new self-signed one and use it on the server.

I've got a very similar problem. In my case the certificate is not expired, though. It is simply not trusted because it belongs to a small local server at my work. Access is essential for me and I am also sure it is secure.

Before High Sierra, I had to click through some warning messages once but afterwards Safari loaded the page just normally. Now I can click my way through practically the same messages ("This connection is not private" -> Show details -> Open this website -> Visit website -> Admin password) but it will just bring me back to where I started ("This connection is not private") and refuse to load the page.

Deleting the certificate in my Keychain to have a new one downloaded didn't help.

When I edit the certificate in Keychain to always be trusted and then reload the page it strangely gives me a completely different error message ("Bad Request - Your browser sent a request that this server could not understand.").

I have Avast installed but excluding the site from its web security doesn't change the behaviour.

Luckily, only Safari seems to be affected by this. Chrome lets me access the site (after the usual "are you sure??" stuff).

It may not work, but you can try deleting the certificate from Keychain Access to see if a new certificate will download.

You might try e-mailing them to see if they will update their certificate in addition to the suggestion KiltedTim posted. Be very cautious about entering any personal data on the web site until they update their certificate.

I'd start a new thread, with details of the certificate(s) that aren't accepted. Confirm that your computer time & date are correct first.