Don’t Let Replacing the Expired DST Root CA x3 Bring You Down

If you are using an older Mac OS X version to browse the web, it’s likely that you recently started seeing "NET::ERR_CERT_DATE_INVALID", "Your connection is not private", "Clock expired privacy issue", "Safari can’t verify the identity of the website", or a similar error in your browser, when trying to visit sites that should be safe.

safari NET::ERR_CERT_DATE_INVALID error

The error is probably occurring on your older computer because the popular certificate DST root ca x3 from the certificate authority Let’s encrypt expired on September 30, 2021. You need its replacement isrg root x1 to resolve the NET::ERR_CERT_DATE_INVALID error.

Your computer has a list of certificates that allow it to verify the authenticity of websites you visit. OS updates usually include the latest batch of certificates required to verify most websites you might visit. However, you can also manually add certificates to your computer’s certificate store.

Manually Adding Certificates on Mac OS El Capitan

Here is how to add the isrg root x1 certificate on Mac OS El Capitan. The process is very similar on other Mac OS versions as well.

Step 1: Get the legit isrg root x1 certificate from Let’s encrypt by visiting https://letsencrypt.org/certs/isrgrootx1.pem.txt. If the Lets Encrypt site itself is marked as insecure for you, you can download it from here: https://intellitect.com/wp-content/uploads/2021/11/isrgrootx1.pem.txt (don’t make downloading certs from websites a habit though).

lets encrypt site
Don’t let the encoding of the file intimidate you.

Step 2: Save it by right-clicking on the page and clicking save as (or if in Safari, click File > Save as ).

Step 3: Save it as a .pem file (remove the .txt extension).

save file

You now have a file that looks like this:
file icon

Step 4: Open the file. The file opens with Mac OS’s certificate store called Keychain Access.

Step 5: Click "confirm" or "yes" on any dialogue about whether or not you want to add the certificate, and When presented with the screen with a prompt that says you can choose whether to add the certificate for one user or the entire "System" (all users), choose "System" in the "Keychain" drop down to fix the error for all users.

confirm import of  DST root ca x3

Step 6: Now, we need to mark it as trusted.

Find it in the certificates, and open it. Under the Trust drop-down, set the SSL field as always trusted.

find the cert in the list

change permissions

Step 7: Close and save.

Wrapping Up!

You should be able to use SSL (HTTPS) with it now! Wikipedia.org is a site that you wouldn’t be able to visit without SSL backed by isrg root x1, so give it a try.

SSL, or Secure Socket Layer, is the "S" in the acronym "HTTPS" that you see before most url’s. In summation, we simply enabled Mac OS X to use the ISRG Root X1 certificate to verify websites that use HTTPS. Specifically, when a website tells your computer that it was certified by ISRG Root X1, your computer says, let me check that you are telling the truth, and uses the now present ISRG Root X1 certificate in Keychain. Once verified, a HTTPS (secure) connection can be made, versus an unsecure HTTP connection.

Want More?

Need more information on fixing errors like "NET::ERR_CERT_DATE_INVALID"? Check out Mark Michaelis’ quick fix for the NETSDK1004 compile error.

intellitect jobs ad

Join the Conversation

36 Comments

Your email address will not be published. Required fields are marked *

  1. I had to do this and it worked. It automatically opened (with no prompts) in the “login” folder and was able to unlock “System” and drag it there, I also was having the issue that Erik Svensson (below) was having with the file being “removed” when trying to open it from Chrome. When I switched from Chrome to Safari, it dowloaded successfully to .txt then I switched it to .pem. Thank you so much for this, I’ve been trying since end of September and thought it was my new iphone settings that I bought the same day. You are so appreciated.

  2. Damn this was a very good help, Out of Google help I got NOTHING! Like blow away your computer and reinstall everything, yeah right… I need to run El Capitan 10.11.6
    It has been so annoying this certificate error, but solved with your help

  3. When I open the file it gives me this error message in the Keychain Access Window. It also gives me this message when I drag the file into the window: “The “System Roots” keychain cannot be modified. To change whether a root certificate is trusted, open it in Keychain Access and modify its Trust Settings. New root certificates should be added to the login keychain for the current user, or to the System keychain if they are to be shared by all users of this machine.” What should I do now? Thanks!

    1. Hey, my first thought is that your user may not be an admin user on the computer so you cannot modify the “system roots” keychain. So you could first try opening Keychain Access and then clicking the padlock icon to unlock the “System Roots” keychain – you will be able to unlock only if an admin. Then drag the cert into the Certificates list. Here is a visual aid screenshot: https://ibb.co/S6M9RX0 . If that doesn’t work, try installing the certificate not at the system level, but at the “login” or user level. It will still work for your user profile. If you have further difficulties, feel free to comment.

  4. Thank you SO, SO much!! Been looking for a fix for this for 4 months now on my MacBook Pro, and your post is the first straightforward successful answer I’ve found… finally back to browsing bliss. You’re a lifesaver!

  5. Thank you! I’ve experienced this problem and it’s extremely annoying. I was starting to think I should retire my old Mac…

  6. Thank you so much for this guide! This cert date error has been a pain for the past month or so and I’m just so relieved it’s fixed now. The guide was super easy to follow, too.

  7. Thank you so much for these simple instructions! I was nervous to try, but had to try to fix this frustrating problem. Finally, no more problems.

    1. Hey Erik, what file are you referring to – the certificate.pem file? Also, what step in particular are you stuck at?

      1. This is happening to me too. When I save as .pem it downloads but then says removed when I go to open the file. It does not show as a certificate file like you have shown above. Any idea why my mac will not save as .pem?

        1. hmmm… interesting. So when you click on the file in your Download’s folder in Finder it says file not found? Finder shouldn’t show files that don’t exist. From what you are describing though it sounds like you are trying to open the file from Chrome or Safari. Try opening it from Finder if you haven’t already. Happy to help out if you are still having difficulty.

          1. Also you can try saving it just as it is as .txt. Then rename the file after its downloaded, by finding it in Finder, right clicking it and selecting “get info”, and then changing the .txt to .pem.

  8. I found it frustrating and rather difficult to figure out why exactly many websites didn’t work.
    Then it was surprisingly hard to find a tutorial on how to fix these certificate issues, but your fix is easy to follow and works PERFECTLY.
    Additionally, this Reddit thread may be helpful too, it uses a very similar way and also explains that you can save your isrg certificate under “system” in the keychain access app to also fix other user accounts on the same Mac: https://old.reddit.com/r/MacOS/comments/pz5dq3/any_fix_for_the_big_lets_encrypt_certificate/
    Thank you so so much!!!

  9. Austen, many many many many many many many many many many many many many many many many THANKS!!!

  10. This has finally resolved an error where it has nearly caused me to purchase a new mac laptop.
    Hoping to assist others in finding this page, I wanted to list the other search phrases I used which were not as helpful, until I finally stumbled upon this resolution:
    Can’t load page,
    Clock expired privacy issue,
    Your connection is not private,
    Attackers might be trying to steal your information,
    Automatically send some system information and page content to Google to help detect dangerous apps and sites

    Thanks
    again

  11. Dear Austen,
    I know we are not alone with this problem……
    that
    YOU solved
    We thank you sooo much for given this Key to us.
    Chrome is back on our MacBook Pro (2012)
    Thanks again and all best wishes to you
    from Marion&Martin
    (Philippines)

  12. Hey! I cannot express to you how many websites and tutorials I’ve been to over the past few days, which just did not work time and time again. This one, whilst kind of seeming scary to an amateur, did work straight away! Thanks a lot :D