Don’t Let Replacing the Expired DST Root CA x3 Bring You Down

If you are using an older Mac OS X version to browse the web, it’s likely that you recently started seeing "NET::ERR_CERT_DATE_INVALID" or a similar error in your browser.


The error is because the popular certificate DST root ca x3 from the certificate authority Let’s encrypt expired on September 30, 2021. You need its replacement isrg root x1 to resolve the NET::ERR_CERT_DATE_INVALID error.

Your computer has a list of certificates that allow it to verify the authenticity of websites you visit. OS updates usually include the latest batch of certificates required to verify most websites you might visit. However, you can also manually add certificates to your computer’s certificate store.

Manually Adding Certificates on Mac OS El Capitan

Here is how to add the isrg root x1 certificate on Mac OS El Capitan. The process is very similar on other Mac OS versions as well.

Step 1: Get the legit isrg root x1 certificate from Let’s encrypt by visiting

lets encrypt site
Don’t let the encoding of the file intimidate you.

Step 2: Save it by right-clicking on the page and clicking save as (or if in Safari, click File > Save as ).

Step 3: Save it as a .pem file (remove the .txt extension).

save file

You now have a file that looks like this:
file icon

Step 4: Open the file. The file opens with Mac OS’s certificate store called Keychain Access.

Step 5: Click "confirm" or "yes" on any dialogue about whether or not you want to add the certificate.

confirm import of  DST root ca x3

Step 6: Now, we need to mark it as trusted.

Find it in the certificates, and open it. Under the Trust drop-down, set the SSL field as always trusted.

find the cert in the list

change permissions

Step 7: Close and save.

Wrapping Up!

You should be able to use SSL (HTTPS) with it now! is a site that you wouldn’t be able to visit without SSL backed by isrg root x1, so give it a try.

SSL, or Secure Socket Layer, is the "S" in the acronym "HTTPS" that you see before most url’s. In summation, we simply enabled Mac OS X to use the ISRG Root X1 certificate to verify websites that use HTTPS. Specifically, when a website tells your computer that it was certified by ISRG Root X1, your computer says, let me check that you are telling the truth, and uses the now present ISRG Root X1 certificate in Keychain. Once verified, a HTTPS (secure) connection can be made, versus an unsecure HTTP connection.

Want More?

Need more information on fixing errors like "NET::ERR_CERT_DATE_INVALID"? Check out Mark Michaelis’ quick fix for the NETSDK1004 compile error.

intellitect jobs ad

Join the Conversation


Your email address will not be published. Required fields are marked *

  1. Dear Austen,
    I know we are not alone with this problem……
    YOU solved
    We thank you sooo much for given this Key to us.
    Chrome is back on our MacBook Pro (2012)
    Thanks again and all best wishes to you
    from Marion&Martin

  2. Hey! I cannot express to you how many websites and tutorials I’ve been to over the past few days, which just did not work time and time again. This one, whilst kind of seeming scary to an amateur, did work straight away! Thanks a lot :D