Let's Encrypt DST Root CA X3 Expiration
raf
macports at raf.org
Sun Oct 3 03:25:42 UTC 2021
On Sat, Oct 02, 2021 at 08:06:27PM -0700, Michael <keybounce at gmail.com> wrote:
> So, first, I want to say "Thank you" for this bit:
>
> > • From View menu select "Show Expired Certificates"
>
> In keychain access, I could not see the expired certs, and was
> thinking that they were just deleted for being old. Once I could find
> the old ones, I could turn them back on.
Ah, that explains why I couldn't see it. :-)
> The second thing is that for whatever reason, I could not download
> and install the new cert into keychain access. But ... oddly, Firefox
> 52 ESR had that cert installed (even that old ...???). I could export
> from firefox, and import THAT into keychain access, and at least
> enable that for my account.
>
> So, ... well, not perfect. These certs are marked as trusted for *my
> account*. Not for the system. So predictably, some things done by the
> system in the background will fail, but at least Chrome and Firefox
> both now work fine. (Safari isn't tested, but ... well, Safari isn't
> tested :=-).
On 10.6.8, I wasn't able to add to the system keychain
via the Keychain Access GUI (even after unlocking it),
but I was able to do it using the "security" command
following these instructions:
How do I update my root certificates on an older version of Mac OS (e.g. El Capitan)?
https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi
If you have ISRG Root X1 as a .pem file, something like this
should import it into the "System" keychain:
sudo security -v add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain isrgrootx1.pem
For the "System Roots" keychain, instead of the "System" keychain:
sudo security -v add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain isrgrootx1.pem
I don't know if it matters which of these keychains it goes into.
cheers,
raf
More information about the macports-users
mailing list