ADDTrust External CA Root certificate expired
I'm running El Capitan (macOS 10.11.6, 15G22010) with Safari 11.1.2.
The ADDTrust External CA Root certificate expired today. This broke Safari navigation for many sites. Firefox and Chrome work fine on the same sites.
Can Safari navigation be fixed?
An insecure method to work around the certificate expiration is to tell your macOS to Always Trust this certificate.
When loading the site in Safari and seeing the "Safari can't verify the identity..." click Show Certificate, select the "Comodo RSA Certification Authority", then check the box that says "Always trust this certificate".
To reverse this, you should see a new entry in Keychain Access.app in the login
keychain that shows this certificate as Always Trusted, which you can change back to "Use System Defaults".
Note that blindly accepting an expired certificate is a risky proposition, and use at your own risk. (Say, if this Certificate Authority were compromised and revoked, Safari could show malicious sites as Secure. Rare, but has happened in the past.)
I've not yet found a way to install an updated AddTrust/Comodo Root CA that solves this issue.
Same issue here; a temporary (not production-ready) fix is to set back your system date.
I had same issue (same macOS/Safari versions).
I solved it for myself by installing USERTrust RSA Certification Authority SHA-2 root certificate from Sectigo website. It is in a knowledge base article called How to Download & Install Sectigo Intermediate Certificates - RSA.
Go to Sectigo website -> Support -> Knowledge Base, and it is the most viewed article as of this writing. The SHA-2 root certificate is towards the bottom of the article (just above the expired one).
After downloading, I opened the certificate in Keychain Access. It is untrusted by default, so I did right-click -> Get Info on the certificate, expanded the Trust part and chose When using this certificate: always trust. You need a macOS admin password to make the change. When I did it first time, my computer became unresponsive... (old 2008 MacBook), but after a reboot I could repeat the change and it went without a hitch.
I'm not a certificate expert so I don't promise it is the "right kind" of workaround, or it works for all websites. I just tried the one website which was failing me before, and I saw Safari is now using the newly installed SHA-2 root certificate for it.
Hope that helps.
Cheers.