Skip to content


Don’t Let Replacing the Expired DST Root CA x3 Bring You Down

If you are using an older Mac OS X version to browse the web, it’s likely that you recently started seeing "NET::ERR_CERT_DATE_INVALID", "Your connection is not private", "Clock expired privacy issue", "Safari can’t verify the identity of the website", or a similar error in your browser, when trying to visit sites that should be safe.

The error is probably occurring on your older computer because the popular certificate DST root ca x3 from the certificate authority Let’s encrypt expired on September 30, 2021. You need its replacement isrg root x1 to resolve the NET::ERR_CERT_DATE_INVALID error.

Your computer has a list of certificates that allow it to verify the authenticity of the websites you visit. OS updates usually include the latest batch of certificates required to verify most websites you might visit. However, you can also manually add certificates to your computer’s certificate store.

Manually Adding Certificates on Mac OS El Capitan

Here is how to add the isrg root x1 certificate on Mac OS El Capitan. The process is very similar on other Mac OS versions as well.

Step 1: Get the legit isrg root x1 certificate from Let’s encrypt by visiting If the Lets Encrypt site itself is marked as insecure for you, you can download it from here: (don’t make downloading certs from websites a habit though).

Don’t let the encoding of the file intimidate you.

Step 2: Save it by right-clicking on the page and clicking save as (or if in Safari, click File > Save as ).

Step 3: Save it as a .pem file (remove the .txt extension).

You now have a file that looks like this:

Step 4: Open the file. The file opens with Mac OS’s certificate store called Keychain Access.

If it doesn’t open with KeyChain Access, then open the KeyChain Access app manually by either searching for it via Spotlight ? or finding it in the Utilities App Folder. Then drag and drop the .pem file into KeyChain Access.

Step 5: Click "confirm" or "yes" on any dialogue about whether or not you want to add the certificate, and when presented with the screen with a prompt that says you can choose whether to add the certificate for one user or the entire "System" (all users), choose "System" in the "Keychain" drop-down to fix the error for all users.

Step 6: Now, we need to mark it as trusted.

Find it in the certificates, and open it. Under the Trust drop-down ? (double click to open), set the SSL field as always trusted.

Step 7: Close and save.

Wrapping Up!

You should be able to use SSL (HTTPS) with it now! is a site that you wouldn’t be able to visit without SSL backed by isrg root x1, so give it a try.

Want More?

Need more information on fixing errors like "NET::ERR_CERT_DATE_INVALID"? Check out Mark Michaelis’ quick fix for the NETSDK1004 compile error. Curious about the software development work IntelliTect does? Check out our innovative products to see what software solutions we offer that solve your real-world issues.

Does Your Organization Need a Custom Solution?

Let’s chat about how we can help you achieve excellence on your next project!

Comments are closed.