provide latest OS root certificates via port?

raf macports at
Mon Nov 1 07:12:12 UTC 2021

On Sat, Oct 30, 2021 at 05:49:11AM -0700, Al Varnell via macports-users <macports-users at> wrote:

> I see that I already have the latest ISRG Root X1 certificate in the
> System Roots keychain, so not sure why I would need to add it to my
> System keychain.

It doesn't sound sensible, does it? I followed those instructions,
then added it to System Roots because it hadn't changed anything,
only to discover (on 10.6) that only TLSv1.0 was supported by the
system-supplied software so things wouldn't work anyway.

I still don't understand why /usr/bin/curl isn't working for me on
10.14 but Safari is.

> And when I went to
> to download, it showed up as a .cer instead of a .pem.
> -Al-

That file is in PEM format.
Is it just the filename suffix that is of concern, or the format?
i.e. does it start with "-----BEGIN CERTIFICATE-----"?
If so, it can be renamed to isrgrootx1.pem (but it might not matter).

If you have a binary file in DER format, it can be converted to PEM format:

  openssl x509 -inform der -outform pem -in file.der -out file.pem

Or just download the PEM version. They have both available.


> > On Oct 29, 2021, at 10:25 PM, Michael <keybounce at <mailto:keybounce at>> wrote:
> > 
> > So I found this advice online for updating certs without having to worry about trusting expired old certs.
> > 
> > 1. Visit to download the certificate, and save it in the Documents folder.
> > 
> > 2. Open Terminal, paste this command, and press enter:
> > 
> > sudo security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ~/Documents/isrgrootx1.pem
> > 
> > This eliminates the need for marking the expired DST root as special-case trusted.

More information about the macports-users mailing list