ADDTrust External CA Root certificate expired

macos safari

I'm running El Capitan (macOS 10.11.6, 15G22010) with Safari 11.1.2.

The ADDTrust External CA Root certificate expired today. This broke Safari navigation for many sites. Firefox and Chrome work fine on the same sites.

Can Safari navigation be fixed?


An insecure method to work around the certificate expiration is to tell your macOS to Always Trust this certificate.

When loading the site in Safari and seeing the "Safari can't verify the identity..." click Show Certificate, select the "Comodo RSA Certification Authority", then check the box that says "Always trust this certificate".

To reverse this, you should see a new entry in Keychain Access.app in the login keychain that shows this certificate as Always Trusted, which you can change back to "Use System Defaults".

Note that blindly accepting an expired certificate is a risky proposition, and use at your own risk. (Say, if this Certificate Authority were compromised and revoked, Safari could show malicious sites as Secure. Rare, but has happened in the past.)

I've not yet found a way to install an updated AddTrust/Comodo Root CA that solves this issue.


Same issue here; a temporary (not production-ready) fix is to set back your system date.


I had same issue (same macOS/Safari versions).

I solved it for myself by installing USERTrust RSA Certification Authority SHA-2 root certificate from Sectigo website. It is in a knowledge base article called How to Download & Install Sectigo Intermediate Certificates - RSA.

Go to Sectigo website -> Support -> Knowledge Base, and it is the most viewed article as of this writing. The SHA-2 root certificate is towards the bottom of the article (just above the expired one).

After downloading, I opened the certificate in Keychain Access. It is untrusted by default, so I did right-click -> Get Info on the certificate, expanded the Trust part and chose When using this certificate: always trust. You need a macOS admin password to make the change. When I did it first time, my computer became unresponsive... (old 2008 MacBook), but after a reboot I could repeat the change and it went without a hitch.

I'm not a certificate expert so I don't promise it is the "right kind" of workaround, or it works for all websites. I just tried the one website which was failing me before, and I saw Safari is now using the newly installed SHA-2 root certificate for it.

Hope that helps.

Cheers.

Related

Subversion 1.7 for OS X Lion
Unable to upgrade to python 3.6 from python 2.7
Is it possible to search for text in iBooks or the Kindle app?
How to merge two partitions on external hard drive when the "partition" option is greyed out?
accessing Keychain Access from terminal - OSX
Easy way to get gcc and make in OS X
Alternative way to move windows around screen
What is the best way to set up multiple iPod / iPhones on the same computer?
Quicklook stopped working with xcode's .m and .h file suddenly
Is there a way to detect caching servers?
How to pipe output of 'say' to another command
How to force Finder to update file thumbnails?