Updating SSL root certs on old Mac (running Lion)
My father-in-law reported an "Invalid SSL certificate" suddenly started appearing on his online banking website.
After verifying it's not a website issue (it loads correctly on other computers), I understood that the root certificate of the website certificate is not being trusted probably because too new and the Mac is not being updated anymore.
Is my understanding correct?
If yes, is there a safe way to download new root certificates that are being added to recent Macs?
Solution 1:
Inspecting the certificate at https://www.intesasanpaolo.com, you can see that it uses the root certificate Chambers of Commerce Root - 2008
. Upon inspecting the System Roots in Keychain Access on a Mac running Mac OS X Lion, this root certificate is trusted by the OS by default. This means that Safari should properly trust this website without prompting about an "Invalid SSL certificate".
I would first verify that you see this certificate in the System Roots and that it has not been accidentally set to Never Trust
.
You can also securely obtain the root certificate used by this website at https://www.camerfirma.com/clavespublicas. You specifically need the certificate
Chambers of Comerce ROOT - 2008 -> SHA1 78 6a 74 ac 76 ab 14 7f 9c 6a 30 50 ba 9e a8 7e fe 9a ce 3c
Direct Link
When you open this certificate, you can select to install it to the System keychain. This should allow Safari to properly trust the SSL on that website.
Solution 2:
Yes, if the certificate is being accepted by other, newer machines, the issue it does seem likely that your father's machine isn't receiving updates to its root certificate trust store. I wasn't able to verify that Lion isn't receiving those but I think it's a fair guess.
Well, that's a harder question to answer. If you look here and here, it does seem like it's possible to do, but you'd need to find the keychain files from a newer OS and pull them into Lion. It's really just a guess as to whether the steps in that answer would work for you since it's 10.8. I actually would advise figuring out which certificate shows up as expired on your machine (or which root certificate is missing/untrusted), and downloading that specific certificate and appropriately trusting it, first. But if you want to, you could also backup your system and give that second answer a shot. Hopefully you have access to a more recent macOS installer you can extract files from.