- On older macOS's you may have difficulty reaching various secure web sites. They might give you a certificate expired error. They will work in Firefox, but not in Safari or Chrome. They also work on newer versions of macOS (e.g. Catalina, Big Sur). This seems to be because Safari and Chrome use the OS root certificate store and Firefox uses its own, and El Capitan and older macOS's are not being updated.
- To update the root certificates on old macOS's follow this:
- On that Mac with up to date certificates, launch Keychain Access, select "System Roots", select all certificates, select File->Export, and export them as
rootcerts.pemfile. This file will contain all the certificates concatenated. - Copy the
rootcerts.pemfile to your obsolete macOS. - Make the trustroot shell script below:
#!/bin/bash
DIR=${TMPDIR}/trustroot.$$
mkdir -p ${DIR}
trap "rm -rf ${DIR}" EXIT
cat "$1" | (cd $DIR && /usr/bin/split -p '-----BEGIN CERTIFICATE-----' - cert- )
for c in ${DIR}/cert-* ; do
security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$c"
done
rm -rf ${DIR}
- e.g. by copying it into a file named
trustroot, then using
chmod 755 trustroot
- Run
sudo ./trustroot rootcerts.pem
- What the script does is splits the .pem file into a number of certificates in the temporary directory concerned, then adds them as trustRoot certificates to the System key chain; they will then operate as trusted roots in addition to the certificates in the original "System Roots" keychain. In case you were wondering, you cannot add them to the System Roots keychain as that can only be updated by the operating system.
Note this copies over the first group of certificates ("Trusted Certificates" in the question), but not the second nor the third.