Mac showing valid SSL certificates as expired

by | Nov 30, 2021 | Blog | 1 comment

Older versions of Mac OS have hit a snag in the last month or so, because they’ve failed to update expired root certificates.

The way SSL certificates work is that an organisation that issues them per site, will have a master, or root, certificate. In this case, the issue is with Let’s Encrypt, who look after thousands upon thousands of SSL certificates.

Their root certificate known as  DST Root CA X3 expired at the end of September. And was replaced by ISRG Root X1.

Not an issue, the core certificate just updates right? Well, not if you’re on an older version of Mac OS it doesn’t.

Although this change has been known about for years, and ISRG Root X1 is widely adopted, Apple failed to include it in any build before 10.12.1 so any certificates issued by Let’s Encrypt, will automatically be untrusted. Way to go Apple.


1 – The simplest workaround is to use Firefox. Firefox ignores the OS key directory and has it’s own internal one, whereas Safari and Chrome both rely on the OS level keychain.

2 – Update your OS. 10.12.1 is out of support now, so you should probably look at updating anyway if your hardware supports it.

3 – Install the new Root certificate, detailed below

Installing ISRG Root X1

  1. Download the ISRG certificate from here:
  2. Open the Keychain Access app and drag that file into the System folder of that app.
  3. Find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change “Use System Defaults” to “Always Trust”, then close that and enter your password to confirm the change (if prompted).

Afraid I can’t supply screenshots, because I don’t have any Apple machines! But if someone follows the process above and sends me screenshots then I’d be happy to include them in the blog

Can the website owner fix this?

Sadly not, it’s purely an OS issue (and specifically, an unsupported OS issue) all supported versions should already have the key installed. There’s nothing the website owners can do about this since the certificates rely on the valid root certificate being installed.

Hope that helps!

1 Comment

  1. Zoe

    Thank you Andy! This has been driving me crazy! All sorted on my mac 🙂


Submit a Comment

Your email address will not be published. Required fields are marked *

Related   Posts

How do the one day builds work?

How do the one day builds work?

One Day Builds For the past 2 years we've been offering our "One Day Builds". They're a perfect way to get your site built quickly and get some training on how to make changes and add new sections in the future. Can we really build a whole site in a single day? Yes!...

Should I be moving to Kadence and Stylecloud?

Should I be moving to Kadence and Stylecloud?

There's a lot of hype at the moment around the Kadence theme, Kadence blocks, and The Design Space's new baby, Stylecloud. So are they worth the hype? Kadence and Stylecloud Explained Kadence is a block based builder, using custom WordPress "Gutenberg" blocks there...

Adding Masonry Galleries to Divi

Adding Masonry Galleries to Divi

One of the big frustrations I have with Divi is the lack of any real gallery options, there's only a grid or carousel. So if your images are in a variety of ratios it just doesn't cut it. Thankfully, there is an easy way to add a masonry gallery to any Divi site (or...