How do I update my root certificates on an older version of Mac OS (e.g. El Capitan)?

keychain google-chrome security certificate safari

The easiest way to do this is to transfer your System Root certificates from another Mac to which you have access that runs a more modern version of macOS. (Why not just download them? See note that the end of this answer.)

  1. First find the more modern Mac with a working set of System Root certificates (i.e. that can access the problematic web sites)
  2. On that Mac, launch Keychain Access, select "System Roots", select all the certificates, select File->Export, and export them as rootcerts.pem file. This file will contain all the certificates concatenated.
  3. Copy the rootcerts.pem file to your antique mac
  4. Make the trustroot shell script below, e.g. by copying it into a file, then using chmod 755 trustroot
  5. Run sudo ./trustroot rootcerts.pem 
#!/bin/bash
DIR=${TMPDIR}/trustroot.$$
mkdir -p ${DIR}
trap "rm -rf ${DIR}" EXIT
cat "$1" | (cd $DIR && split -p '-----BEGIN CERTIFICATE-----' - cert- )
for c in ${DIR}/cert-* ; do
   security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$c"
done
rm -rf ${DIR}

What the script does is splits the .pem file into a number of certificates in the temporary directory concerned, then adds them as trustRoot certificates to the System key chain; they will then operate as trusted roots in addition to the certificates in the original "System Roots" keychain. In case you were wondering, you cannot add them to the System Roots keychain as that can only be updated by the operating system.

Note this copies over the first group of certificates ("Trusted Certificates" in the question), but not the second nor the third.

Kudos to this answer for a hint.

You might wonder why I didn't simply put a link to a more modern bundle of certificates somewhere on the web. After all, that would allow you to skip steps 1-3, and simply download rootcerts.pem. The answer is that you would have no way of knowing that I had not tampered with the root certificates and inserted one of my own, allowing me to impersonate any website by making a fake certificate signed with my own root certificate. Please therefore treat with extreme scepticism any advice to solve this problem by downloading root certificates from anywhere unless you have can independently check the provenance of those certificates.


For anyone without access to an up-to-date Apple OS install: you can download the root certificate at cause (that one exclusively) from the issuer's site and install it. Instructions are here but double-check where in Keychain Access your system has stored the expired R3 certificate (could be "System Roots" instead of "System").

MacPorts have a port (apple-pki-bundle) which installs .pem file containing a bunch of certificates downloaded from Apple, GeoTrust and DigiCert (port source here. It does not at the moment include the ISRG certificate but I have to assume it contains at least a number of the certificates you'd get with the recipe outlined above. Checksumming ensures that you get the intended certificates; AFAICT you'll need to add the bundle to your system's root certificates yourself.

Related

Disable Shift Cmd Q for logout
Screen annotation software to draw on any app in OSX
How can I export text substitutions from Lion for import into Mountain Lion
Why is it that my Mac would rather swap than clear inactive memory?
How to install apps to Snow Leopard after a fresh reinstall and still keep the MacBook in a pre-first-boot state?
Can't create partition on free space with Disk Utility [duplicate]
What are some tips for replacing my MacBook Pro hard disk with SSD?
How can I add a path to the PATH environment variable?
Do the Magic Mouse or Magic Trackpad support “middle click”?
What readers annotate PDFs better than the Preview app?
Remove all duplicates on iTunes library
Is there a way to prevent those pesky .DS_Store files from being ever created?