On Sat, Oct 02, 2021 at 08:06:27PM -0700, Michael <[email protected]> wrote:
> So, first, I want to say "Thank you" for this bit: > > > • From View menu select "Show Expired Certificates" > > In keychain access, I could not see the expired certs, and was > thinking that they were just deleted for being old. Once I could find > the old ones, I could turn them back on. Ah, that explains why I couldn't see it. :-) > The second thing is that for whatever reason, I could not download > and install the new cert into keychain access. But ... oddly, Firefox > 52 ESR had that cert installed (even that old ...???). I could export > from firefox, and import THAT into keychain access, and at least > enable that for my account. > > So, ... well, not perfect. These certs are marked as trusted for *my > account*. Not for the system. So predictably, some things done by the > system in the background will fail, but at least Chrome and Firefox > both now work fine. (Safari isn't tested, but ... well, Safari isn't > tested :=-). On 10.6.8, I wasn't able to add to the system keychain via the Keychain Access GUI (even after unlocking it), but I was able to do it using the "security" command following these instructions: How do I update my root certificates on an older version of Mac OS (e.g. El Capitan)? https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi If you have ISRG Root X1 as a .pem file, something like this should import it into the "System" keychain: sudo security -v add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain isrgrootx1.pem For the "System Roots" keychain, instead of the "System" keychain: sudo security -v add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain isrgrootx1.pem I don't know if it matters which of these keychains it goes into. cheers, raf
