Don’t Let Replacing the Expired DST Root CA x3 Bring You Down
If you are using an older Mac OS X version to browse the web, it’s likely that you recently started seeing "NET::ERR_CERT_DATE_INVALID", "Your connection is not private", "Clock expired privacy issue", "Safari can’t verify the identity of the website", or a similar error in your browser, when trying to visit sites that should be safe.
The error is probably occurring on your older computer because the popular certificate
DST root ca x3 from the certificate authority Let’s encrypt expired on September 30, 2021. You need its replacement
isrg root x1 to resolve the NET::ERR_CERT_DATE_INVALID error.
Your computer has a list of certificates that allow it to verify the authenticity of the websites you visit. OS updates usually include the latest batch of certificates required to verify most websites you might visit. However, you can also manually add certificates to your computer’s certificate store.
Manually Adding Certificates on Mac OS El Capitan
Here is how to add the
isrg root x1 certificate on Mac OS El Capitan. The process is very similar on other Mac OS versions as well.
Step 1: Get the legit isrg root x1 certificate from Let’s encrypt by visiting https://letsencrypt.org/certs/isrgrootx1.pem.txt. If the Lets Encrypt site itself is marked as insecure for you, you can download it from here: https://intellitect.com/wp-content/uploads/2022/03/isrgrootx1.pem_.txt (don’t make downloading certs from websites a habit though).
Don’t let the encoding of the file intimidate you.
Step 2: Save it by right-clicking on the page and clicking save as (or if in Safari, click File > Save as ).
Step 3: Save it as a .pem file (remove the .txt extension).
You now have a file that looks like this:
Step 4: Open the file. The file opens with Mac OS’s certificate store called Keychain Access.
Step 5: Click "confirm" or "yes" on any dialogue about whether or not you want to add the certificate, and When presented with the screen with a prompt that says you can choose whether to add the certificate for one user or the entire "System" (all users), choose "System" in the "Keychain" drop-down to fix the error for all users.
Step 6: Now, we need to mark it as trusted.
Find it in the certificates, and open it. Under the Trust drop-down, set the SSL field as always trusted.
Step 7: Close and save.
You should be able to use SSL (HTTPS) with it now! Wikipedia.org is a site that you wouldn’t be able to visit without SSL backed by
isrg root x1, so give it a try.
SSL, or Secure Socket Layer, is the “S” in the acronym “HTTPS” that you see before most url’s. In summation, we simply enabled Mac OS X to use the
ISRG Root X1certificate to verify websites that use HTTPS. Specifically, when a website tells your computer that it was certified by
ISRG Root X1, your computer says, let me check that you are telling the truth, and uses the now present
ISRG Root X1certificate in Keychain. Once verified, a HTTPS (secure) connection can be made, versus an unsecure HTTP connection.
Need more information on fixing errors like "NET::ERR_CERT_DATE_INVALID"? Check out Mark Michaelis’ quick fix for the NETSDK1004 compile error.