Instructions for clearing expired DigiCert SSL certificate on OSX
Problem:
* Visiting several sites, such as github, gravatar, twitter’s CDN results in “invalid certificate” errors
* For example: http://i.imgur.com/8gPRfI3.png
Instructions
- Launching Keychain Access via Spotlight
- ⌘-Space
- Type “Keychain Access”
- Hit return
- Ensure that expired certificates are visible by selecting”Show Expired Certificates” from the View menu
- Search for “Digicert”.
- Right-click the certificate with a red X and select “Delete DigiCert High Assurance EV Root CA”
- The certificate may not look removed until Keychain Access is restarted
- Restart your browsers
- If problems persist, confirming your OS is up to date may help.
You should once again be able to access the affected sites.
Removing an old Expired Certificate
Instructions and screenshots courtesy of Allen Hancock of Watchman Monitoring and Aaron Graves of WeSpire
To find expired certificates, ensure these are shown; enable “Show Expired Certificates” in the “View” menu.
I’ve added that step back in, thanks!
I had the same issue but deleting the cert did not fix the issue. I also reset my keychain, which failed to fix the issue. In the end, it seems the cert in question, which was in widespread usage, has been updated (not sure how) via an OSX security update. If you update your OSX with the latest (post 7/26/2014) changes, it may fix the issue. This was the eventual solution for me.
Running Software Update to get the latest root certificates into the System Keychain is also a great tip.
Thanks for sharing the solution. Super helpful in being able to reach the community of users. We really appreciate the help in sharing these tips.
What I think:
——–
iCloud keychain sync makes the problem worse.
My experience
——————
I had the same problem on a laptop and a desktop, and deleting the expired cert did _not_ help on the laptop. Then did the same on the desktop and it worked!
In other words, when deleting the bad cert from the laptop – iCloud sync somehow ‘restored’ it back to that machine, so I had to delete it from the machine where I first used it.
Interesting feedback, thanks!
I’ve deleted that cert. Rebooted. And some sites now are working. But most of the others now are giving an error on other certs, also by DigiCert. But I can’t see it on the keychain. This is really weird. It didn’t happened before July 26. Do you know how can I fix it?
Hi Leandro,
Maybe other important certificates were removed?
Thanks for helping me fix this issue I was seeing.
Thanks for the post. Was seeing this issue on Github, and this fixed it.
Cheers.
I was wondering why I couldn’t access GitHub. A million thank yous for posting this!
Pingback: Why won’t OS X trust GitHub’s SSL certificate? | Some SuperUser Questions and Answers
Pingback: Why won't OS X trust GitHub's SSL certificate? - Code Solution