How to tell why macOS thinks that a certificate is revoked?

macos keychain security certificate

I tried crlrefresh rp and also manually deleting the OCSP cache with sudo rm /var/db/crls/*cache.db as documented by GlobalSign.

However, the cache seems to be in a different location on macOS 10.12 Sierra. The following command worked for me and resolved the problem:

$ sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM responses WHERE responderURI LIKE "%http://%.globalsign.com/%";'

I also tried deleting the whole database, but it does not seem to come back automatically.

If unsure, better just restore ~/Library/Keychains/*/ocspcache.sqlite3* (including -shm and -wal) from a backup before the OCSP servers started to give wrong replies, for example from yesterday.


Might be this, seems GlobalSign has got a problem with their OCSP. This is taken from their twitter (https://twitter.com/globalsign/status/786505261842247680?lang=da)

We are currently experiencing issues with our OCSP which is causing certificate warning messages. We aim to fix this as soon as possible.

And also

UPDATE: If you're a MAC user, please clear your cache with crlrefresh rp

or View and/or Delete CRL, OCSP Cache

Related

Disable Services in OSX (services.msc)
How to quickly move mouse cursor between monitors?
What can I, as a user, do about offensive reviews in App Store?
How to save and exit "nano .bash_profile" in Terminal?
Do Terminal processes stop if Mac sleeps?
How do I make the hard drive visible in the Finder?
How to upgrade Homebrew itself (not softwares/formulas installed by it) on macOS?
How to block updates to Mac OS X Catalina?
"-bash: ls: command not found"
How to view Software Update history?
How does my Selfie Stick take a picture using the *headphone socket*?
Where is the httpd error log file on Lion?