How to update my root certificates on an older version of macOS (e.g. El Capitan)?
Solution 1:
Important! To save yourself grief and extra work:
-
Back up all Keychain files before running this script. Here: HD/Library/Keychains Here: HD/System/Library/Keychains Here: HD/Users/YourHD/Library/Keychains
-
Only export root certificates from a new Mac that are not already listed in your old System Roots certificates.
-
Do not Delete any System Roots certificates in Keychain Access.
After spending more time on this than I ever wanted to, I got the script in https://apple.stackexchange.com/a/422333/9058 working. I don't know if it's the right way to do it, but it is working and I can now access all the sites that were being blocked as invalid on Safari and Google Chrome that are actually valid.
For anyone else who wants to try doing this, this is what I did to get the script working. This worked on an old Mac laptop running El Capitan 10.11.6.
I made a folder titled certificates on my user hard drive. I put the rootcerts.pem file from the new Mac in the folder.
I then opened a text editor to make a file for the script. (TextEdit or TextWrangler etc. If using TextEdit format the file as plain text.)
Copy and paste the entire #!/bin/bash script into the new file.
Save the file as trustroot.sh in the certificates folder.
Open terminal. I didn't know what directory I was in so I entered: echo $PATH
I was in the wrong directory so I entered the path to get to where I had created the folder (Your PATH/path may be different depending on where you saved your folder):
At the next prompt enter: cd ~/certificates/ Hit return.
Next enter: chmod 755 trustroot.sh Hit return.
Last enter: sudo ~/certificates/trustroot.sh rootcerts.pem Hit return and the script will run.
Or:
cd ~/certificates/
chmod 755 trustroot.sh
sudo ~/certificates/trustroot.sh rootcerts.pem
To log out of Terminal after script ends type: exit
The script ran perfectly and added the new certificates to the System folder in Keychain Access.
Return to Keychain Access and set only the SSL value of the new certificates to "Always Trust." The remaining menus should be set to "Use Custom Settings" and the rest set to "no value specified."
I don't know much about certificate security so if someone has a better answer, please correct this answer.
Important Note: If you imported Duplicate root certificates to your System Keychain, you will overwrite the Root certificate trust settings in the System Roots Keychain. The System Roots certificate will now be set to use "Always Trust" which is a security problem. Duplicates will have blue crosses on the certificates indicating the certificates are using Custom Settings.
How to change the System Root certificates from using Custom Settings back to using the System Default settings:
-
In Keychain Access, delete any duplicate certificates from the System Keychain. Do not delete any System Roots Keychain certificates.
-
In the System Roots Keychain, open a certificate with a blue cross indicating a certificate with Custom Settings. Open the Trust section. Change all sub-menus from "Always Trust" to "no value specified." The main menu value should change to "Use System Defaults." Close the certificate window.
Enter your admin password when asked if you want to modify the keychain.
- Reopen the certificate you just changed. Select "Use System Defaults" again. Close the certificate.
Enter your admin password when asked if you want to update the keychain.
If you are not asked to enter your password after you close the certificate, the settings are not changed. Go back and reselect "Use System Defaults" again. Close and enter your password.
The blue cross takes a couple of seconds to disappear, but the Root certificate should return to the original system default settings.
Updating the trust settings creates a duplicate certificate in the System Keychain.
- Open the System Keychain and delete the duplicate root certificates. Restart your machine.
You should now be able to use the internet again on your old Mac laptop.