Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Update of OS 10.6.8 certificates

B

BillCalif

macrumors newbie
Original poster
Mar 11, 2023
2
0
I have a mac that can't run anything later than OS 10.6.8. I have several questions regarding certificates. "My Certificates" has no trusted certificates - they are expired. 1st question: Is that because Apple no longer updates the OS? I have read that Apple updates certificates when they are no longer trusted. 2nd question: One member mentioned he gets certificates from GlobalSign and DigiSign. Are trusted certificates available for free on these sites? 3rd question: Will the use of a trusted certificate prevent the reply from some sites "Your clock has the wrong time" when it isn't?

Any help would be greatly appreciated.
 
startergo

startergo

macrumors 601
Sep 20, 2018
4,811
2,200
The root certificate issues an Intermediate certificate which in turn is used to issue general certificates such as the ones for your website. This is called a "Chain" of trust. Your certificate (called a Leaf or end-entity certificate) will be validated by following this chain.

From Sept 30th 2021 Let's Encrypts previous root certificate DST Root CA X3 (and it's R3 intermediate) will expire. It has been replaced by their ISRG Root X1 certificate (and replacement R3 intermediate).
Click to expand...
Some operating systems hold onto the expired R3 > DST Root CA X3 chain even if your server is no longer using it. Try a restart of the affected client device.
For older macOS not updated by Apple:
  • Download the ISRG Root X1 certificate file from http://x1.i.lencr.org/
  • Open the Keychain Access app and drag that file into the System folder of that app.
  • Find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change "Use System Defaults" to "Always Trust", then close that and enter your password to confirm the change (if prompted).
Click to expand...

Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs

Certificate trust mainly relies on the "root" issuing certificate (and intermediate certificates) being trusted by your computer.
docs.certifytheweb.com docs.certifytheweb.com

Fixing curl:
Code: 
curl -k https://curl.se/ca/cacert.pem -o ~/.cacert.pem
Code: 
echo 'export CURL_CA_BUNDLE=~/.cacert.pem' >> ~/.bash_profile
Reload your shell, or source ~/.bash_profile and you will once again be able to use curl with any URL using Let's Encrypt.
 
Last edited:
  • Like
Reactions: Slartibart
B

BillCalif

macrumors newbie
Original poster
Mar 11, 2023
2
0
BillCalif said:
I have a mac that can't run anything later than OS 10.6.8. I have several questions regarding certificates. "My Certificates" has no trusted certificates - they are expired. 1st question: Is that because Apple no longer updates the OS? I have read that Apple updates certificates when they are no longer trusted. 2nd question: One member mentioned he gets certificates from GlobalSign and DigiSign. Are trusted certificates available for free on these sites? 3rd question: Will the use of a trusted certificate prevent the reply from some sites "Your clock has the wrong time" when it isn't?

Any help would be greatly appreciated.
Click to expand...
Thank you for the reply. I followed the instructions you provided. The IRSG Root X1 is now in the Keychain System folder and is marked "Trusted." I set the "When using this Certificate" and all sections below as "always trusted." The My Certificates folder has no new certificates - only the old expired ones. Are there further steps? You mention "The root certificate issues an Intermediate certificate which in turn is used to issue general certificates such as the ones for your website." I don't have a website, just a computer trying to access websites. How do I get the chain you mention to start issuing these follow-on certificates? I appreciate you getting me this far. If I missed something let me know.
BillCalif said:
I have a mac that can't run anything later than OS 10.6.8. I have several questions regarding certificates. "My Certificates" has no trusted certificates - they are expired. 1st question: Is that because Apple no longer updates the OS? I have read that Apple updates certificates when they are no longer trusted. 2nd question: One member mentioned he gets certificates from GlobalSign and DigiSign. Are trusted certificates available for free on these sites? 3rd question: Will the use of a trusted certificate prevent the reply from some sites "Your clock has the wrong time" when it isn't?

Any help would be greatly appreciated.
Click to expand...
 
startergo

startergo

macrumors 601
Sep 20, 2018
4,811
2,200
Follow this guide:
forums.macrumors.com

Fixing HTTPS issues on old versions of OS X

I originally posted about this in the Mavericks section, where it never belonged, because it also works on 10.6–10.8. Here's a new thread for our fancy section! If you're currently running an old version of OS X, and it's connected to the internet, you probably already have this line somewhere...
forums.macrumors.com forums.macrumors.com
 
  • Like
Reactions: Minghold
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom