On Sat, Oct 30, 2021 at 05:49:11AM -0700, Al Varnell via macports-users <macports-users@lists.macports.org> wrote:
> I see that I already have the latest ISRG Root X1 certificate in the > System Roots keychain, so not sure why I would need to add it to my > System keychain. It doesn't sound sensible, does it? I followed those instructions, then added it to System Roots because it hadn't changed anything, only to discover (on 10.6) that only TLSv1.0 was supported by the system-supplied software so things wouldn't work anyway. I still don't understand why /usr/bin/curl isn't working for me on 10.14 but Safari is. > And when I went to https://letsencrypt.org/certs/isrgrootx1.pem > to download, it showed up as a .cer instead of a .pem. > > -Al- That file is in PEM format. Is it just the filename suffix that is of concern, or the format? i.e. does it start with "-----BEGIN CERTIFICATE-----"? If so, it can be renamed to isrgrootx1.pem (but it might not matter). If you have a binary file in DER format, it can be converted to PEM format: openssl x509 -inform der -outform pem -in file.der -out file.pem Or just download the PEM version. They have both available. cheers, raf > > On Oct 29, 2021, at 10:25 PM, Michael <keybou...@gmail.com > > <mailto:keybou...@gmail.com>> wrote: > > > > So I found this advice online for updating certs without having to worry > > about trusting expired old certs. > > > > 1. Visit https://letsencrypt.org/certs/isrgrootx1.pem to download the > > certificate, and save it in the Documents folder. > > > > 2. Open Terminal, paste this command, and press enter: > > > > sudo security -v add-trusted-cert -d -r trustRoot -k > > "/Library/Keychains/System.keychain" ~/Documents/isrgrootx1.pem > > > > This eliminates the need for marking the expired DST root as special-case > > trusted. >