Safari and Chrome report invalid certificates on certain HTTPS sites (for example GitHub and Bitbucket). Firefox strangely shows a green valid certificate.
I've created a new OS X user and everything is perfectly valid there. I though that maybe there was some invalid certificate in my login keychain. However, even after removing all certs from that keychain, it still reports as invalid.
The Entrust cert that only shows on my account is present in my login keychain. I removed it, which makes the DigiCert High Assurance EV Root CA the new top certificate in the list, but it is not the same cert as on the working account...
The problem also occurs when using curl or for example pushing with git.
Is there something I'm overlooking?
UPDATE
Everything works after copying the DigiCert High Assurance EV Root CA from the System Roots to the login keychain. But why is this necessary on my user account?
Certificate chain in Safari on my user account 
Certificate chain in Safari on a new OS X account 
Answer
It seems that somehow Chrome and Safari for that account are using an expired root certificate, even though a new one is already present in your System Roots.
However, by default Keychain Access does not show expired certificates: enable that using menu View, Show Expired Certificates, and then search for the name of the expired certificate, like "digicert high". Then delete any expired one. As all is fine in a new user account, the culprit must be in your Login Keychain.
(This doesn't explain why Firefox uses the correct one; I would expect all browsers to simply delegate the full validation to OS X, but apparently not.)
No comments:
Post a Comment