How do I update my root certificates on an older version of Mac OS (e.g. El Capitan)?

The easiest way to do this is to transfer your System Root certificates from another Mac to which you have access that runs a more modern version of macOS. (Why not just download them? See note that the end of this answer.)

  1. First find the more modern Mac with a working set of System Root certificates (i.e. that can access the problematic web sites)
  2. On that Mac, launch Keychain Access, select "System Roots", select all the certificates, select File->Export, and export them as rootcerts.pem file. This file will contain all the certificates concatenated.
  3. Copy the rootcerts.pem file to your antique mac
  4. Make the trustroot shell script below, e.g. by copying it into a file, then using chmod 755 trustroot
  5. Run sudo ./trustroot rootcerts.pem
#!/bin/bash
DIR=${TMPDIR}/trustroot.$$
mkdir -p ${DIR}
trap "rm -rf ${DIR}" EXIT
cat "$1" | (cd $DIR && split -p '-----BEGIN CERTIFICATE-----' - cert- )
for c in ${DIR}/cert-* ; do
   security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$c"
done
rm -rf ${DIR}

What the script does is splits the .pem file into a number of certificates in the temporary directory concerned, then adds them as trustRoot certificates to the System key chain; they will then operate as trusted roots in addition to the certificates in the original "System Roots" keychain. In case you were wondering, you cannot add them to the System Roots keychain as that can only be updated by the operating system.

Note this copies over the first group of certificates ("Trusted Certificates" in the question), but not the second nor the third.

Kudos to this answer for a hint.


You might wonder why I didn't simply put a link to a more modern bundle of certificates somewhere on the web. After all, that would allow you to skip steps 1-3, and simply download rootcerts.pem. The answer is that you would have no way of knowing that I had not tampered with the root certificates and inserted one of my own, allowing me to impersonate any website by making a fake certificate signed with my own root certificate. Please therefore treat with extreme scepticism any advice to solve this problem by downloading root certificates from anywhere unless you have can independently check the provenance of those certificates.


For anyone without access to an up-to-date Apple OS install: you can download the root certificate at cause (that one exclusively) from the issuer's site and install it. Instructions are here but double-check where in Keychain Access your system has stored the expired R3 certificate (could be "System Roots" instead of "System").

MacPorts have a port (apple-pki-bundle) which installs .pem file containing a bunch of certificates downloaded from Apple, GeoTrust and DigiCert (port source here. It does not at the moment include the ISRG certificate but I have to assume it contains at least a number of the certificates you'd get with the recipe outlined above. Checksumming ensures that you get the intended certificates; AFAICT you'll need to add the bundle to your system's root certificates yourself.