Let's Encrypt DST Root CA X3 Expiration

Michael keybounce at gmail.com
Sun Oct 3 03:06:27 UTC 2021

So, first, I want to say "Thank you" for this bit:

> • From View menu select "Show Expired Certificates"

In keychain access, I could not see the expired certs, and was thinking that they were just deleted for being old. Once I could find the old ones, I could turn them back on.

The second thing is that for whatever reason, I could not download and install the new cert into keychain access. But ... oddly, Firefox 52 ESR had that cert installed (even that old ...???). I could export from firefox, and import THAT into keychain access, and at least enable that for my account.

So, ... well, not perfect. These certs are marked as trusted for *my account*. Not for the system. So predictably, some things done by the system in the background will fail, but at least Chrome and Firefox both now work fine. (Safari isn't tested, but ... well, Safari isn't tested :=-).


I have a much better question, that's outside of the scope of this list or even the site(s) in question.

Why does a signature expire?

If I have something that was signed by a cert, and it was signed in a valid time time stamp, why does that signature ever expire?

I've come across programs that have an expired signature, and I can't see a good reason for it.

And if  there's no good way to tell when something was actually signed (because a timestamp can be forged), then the question becomes, why does a cert expire as a function of time? Why not allow a cert to be "until revoked"? 

For that matter, why is "valid/not valid" not under the control of the system? Why is someone else allowed to say that my system is no longer valid?

I figure that there's a good answer to these questions somewhere, but I have no clue where to even begin looking. And yes, I know that quantum factoring will eventually permit all of these certs to be forged, but until then, why not allow them, and even after that point, why not allow me to allow them?

On 2021-10-02, at 7:52 PM, Ryan Schmidt <ryandesign at macports.org> wrote:

> On Oct 2, 2021, at 10:57, Michael wrote:
>> Well, thank you for this, and it explains something else.
>> I've got an older OS (10.9.5), and suddenly Chrome (67 is latest here) has been complaining left right and center about LOTS of unsafe sites, refusing to let me connect, etc. Meanwhile, firefox (52 esr) is happy to connect, but is too old to display a lot of them correctly.
>> Is there any way for older OS's to declare extended trust for certificates?
> I've added instructions for doing that here:
> https://trac.macports.org/wiki/ProblemHotlist#letsencrypt
> It helped Safari and /usr/bin/curl. I didn't test Chrome; you can let us know if it helps.

This message was composed with the aid of a laptop cat, and no mouse

More information about the macports-users mailing list