15.7 C
London
Wednesday, September 25, 2024

safari – How do I replace my root certificates on an older model of Mac OS (e.g. El Capitan)?


The simplest means to do that is to switch your System Root certificates from one other Mac to which you have got entry that runs a extra fashionable model of macOS. (Why not simply obtain them? See observe that the tip of this reply.)

  1. First discover the extra fashionable Mac with a working set of System Root certificates (i.e. that may entry the problematic internet sites)
  2. On that Mac, launch Keychain Entry, choose “System Roots”, choose all of the certificates, choose File->Export, and export them as rootcerts.pem file. This file will include all of the certificates concatenated.
  3. Copy the rootcerts.pem file to your vintage mac
  4. Make the trustroot shell script beneath, e.g. by copying it right into a file, then utilizing chmod 755 trustroot
  5. Run sudo ./trustroot rootcerts.pem
#!/bin/bash
DIR=${TMPDIR}/trustroot.$$
mkdir -p ${DIR}
entice "rm -rf ${DIR}" EXIT
cat "$1" | (cd $DIR && /usr/bin/cut up -p '-----BEGIN CERTIFICATE-----' - cert- )
for c in ${DIR}/cert-* ; do
   safety -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$c"
carried out
rm -rf ${DIR}

What the script does is splits the .pem file into a variety of certificates within the short-term listing involved, then provides them as trustRoot certificates to the System key chain; they are going to then function as trusted roots along with the certificates within the unique “System Roots” keychain. In case you have been questioning, you can’t add them to the System Roots keychain as that may solely be up to date by the working system.

Word this copies over the primary group of certificates (“Trusted Certificates” within the query), however not the second nor the third.

Kudos to this reply for a touch.


You would possibly marvel why I did not merely put a hyperlink to a extra fashionable bundle of certificates someplace on the net. In spite of everything, that will can help you skip steps 1-3, and easily obtain rootcerts.pem. The reply is that you’d haven’t any means of understanding that I had not tampered with the basis certificates and inserted one in every of my very own, permitting me to impersonate any web site by making a pretend certificates signed with my very own root certificates. Please due to this fact deal with with excessive skepticism any recommendation to unravel this drawback by downloading root certificates from wherever except you’ll be able to independently test the provenance of these certificates.

That stated, when you’ve got no different possibility, an inexpensive place to obtain a certificates bundle could be from the curl web page right here (untested), as most individuals belief curl.

Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here