Let's Encrypt DST Root CA X3 Expiration

[raf]

On Sat, Oct 02, 2021 at 08:06:27PM -0700, Michael <keybounce at gmail.com> wrote:

> So, first, I want to say "Thank you" for this bit:
> 
> > • From View menu select "Show Expired Certificates"
> 
> In keychain access, I could not see the expired certs, and was
> thinking that they were just deleted for being old. Once I could find
> the old ones, I could turn them back on.

Ah, that explains why I couldn't see it. :-)

> The second thing is that for whatever reason, I could not download
> and install the new cert into keychain access. But ... oddly, Firefox
> 52 ESR had that cert installed (even that old ...???). I could export
> from firefox, and import THAT into keychain access, and at least
> enable that for my account.
> 
> So, ... well, not perfect. These certs are marked as trusted for *my
> account*. Not for the system. So predictably, some things done by the
> system in the background will fail, but at least Chrome and Firefox
> both now work fine. (Safari isn't tested, but ... well, Safari isn't
> tested :=-).

On 10.6.8, I wasn't able to add to the system keychain
via the Keychain Access GUI (even after unlocking it),
but I was able to do it using the "security" command
following these instructions:

  How do I update my root certificates on an older version of Mac OS (e.g. El Capitan)?
  https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi

If you have ISRG Root X1 as a .pem file, something like this
should import it into the "System" keychain:

  sudo security -v add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain isrgrootx1.pem

For the "System Roots" keychain, instead of the "System" keychain:

  sudo security -v add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain isrgrootx1.pem

I don't know if it matters which of these keychains it goes into.

cheers,
raf