Table of Contents
About DST Root CA X3 expiration on Mac
DST Root CA X3 expired on Mac is an error that many Mac users have likely started seeing in their browser since the 30th of September. The DST Root CA X3 expired on Mac error prevents users from visiting sites that use Let’s Encrypt certificates.
Recently, many Mac users have started reporting the same problem with their browsers, namely, the appearance of an error message while trying to visit certain sites. The error message shown may vary – “DST Root CA X3 expired” is only one possible error message. Another one is “Your connection is not private” or “Attackers might be trying to steal your information”. Though the error/warning messages that get shown in the browser may differ, the underlying issue stays the same and that is the recent expiration of the widespread DST Root CA X3 certificate, created by the non-profit organization Let’s Encrypt. Many popular sites use this certificate and once it has expired, some (not all) users stopped being able to visit those sites.
The factor that separates Macs that can and Macs that cannot visit those such sites is the macOS version that each machine has. Macs that have macOS 10.12.1 or later should have no problems with the expiration of this certificate. However, if your Mac is still running El Capitan (macOS 10.11) or an older version of macOS, then you have probably started encountering various issues in your browsers that prevent you from reaching the sites you want to visit.
The core reason for all this is that the currently expired DST Root CA X3 certificate allowed older machines to recognize Let’s Encrypt certificates. However, DST Root CA X3 was created back in 2015 and its expiration date arrived on the 30th of September this year. Past this date, only Macs with macOS versions released after 2015 are able to recognize Let’s Encrypt certificates and visit the sites that use them.
We understand how annoying this could be, especially if you’re using an older machine that cannot get upgraded past El Capitan. In some cases, the expiration of this so important root certificate could mean that an older Mac machine could become nearly unusable for browsing purposes. At the same time, there are many such Macs left around the globe that are used in work environments and so, them becoming obsolete in terms of their ability to browse the Internet could be quite a problem. The good news is there may be some solutions to that issue – at least for the time being. While at a certain point in the future you may end up needing to get a newer machine that can support the latest macOS versions, with the help of the suggested method below, you should be able to restore your Mac’s ability to browse the Internet, and visit the sites you want to reach without encountering the DST Root CA x3 expired Mac error.
DST Root CA X3 expired Mac fix
The DST Root CA X3 expired (Mac) fix is to manually download, install, and “trust” the new ISRG Root X1 certificate on your Mac. An alternative DST Root CA X3 expired (Mac) fix would be to use Firefox, as it has its own certificates list.
Before we get any further, however, it’s important to note that the best fix would still be to simply upgrade your macOS to a version newer than El Capitan (10.11) if that is possible on your Mac. With a newer macOS, the expiration of the Root X3 certificate wouldn’t be a problem. The oldest macOS version that would allow you to visit sites that use Let’s Encrypt certificates and wouldn’t have a problem with the expiration of the Root CA X3 certificate is macOS 10.12.1 (High Sierra). The following Macs are supported for High Sierra and so if your Mac model falls in that list, chances are you should be able to upgrade its macOS.
- MacBook Pro (2010 and later)
- MacBook (late 2009 and later)
- MacBook Air (2010 and later)
- iMac (late 2009 and later)
- Mac Pro (2010 and later)
- Mac Mini (2010 and later)
To upgrade the macOS of your Mac, simply go to the Apple Logo menu, open System Preferences > Software Update, and click the Upgrade Now button that should be available in the next window. Next, follow the on-screen steps and once you are finished, your macOS should be upgraded to the latest version that the computer can support.
Now, for those of you who have a Mac that’s older than the models from the list above, as was already said, the two options you can try to still get your Mac to freely visit sites that use Let’s Encrypt certificates are to either manually set up the newer ISGR Root X1 or to use Mozilla Firefox as your main browser.
Manually installing the ISGR Root X1 certificate
- Click on this link to download the ISGR Root X1 certificate and download the file.
- Open Spotlight Search by clicking the magnifying glass icon from the menu bar, or by pressing Command + Space bar.
- Type Keychain Access in the Spotlight Search and click the first result.
- In the Keychain Access app, click on the System (not System Roots!) icon from the top left (under System Keychains), and then drag-and-drop the ISGR Root X1 certificate file that you downloaded (the file should be named isgrootx1.der) into the list of items in the Keychain Access app. Your Admin password will likely be required, so enter it and click Modify Keychain.
- Now find the ISGR Root X1 certificate in the Keychain Access app’s System folder, double-click it, and expand the Trust settings.
- After that, change the “When using this certificate” setting from “Use System Defaults” to “Always Trust”. If you are prompted to provide your password again, do that and confirm the change.
After this, you should hopefully no longer have any problems with accessing sites with Let’s Encrypt certificates.
If my work has been helpful, the following link is only for those who have the means, and want to show their gratitude.
Installing Mozilla Firefox
Firefox is known for using its own certificate list and not the one that comes from Apple/macOS, so using this browser has proven to allow users who have El Capitan or older macOS on their Macs to still access the sites that are otherwise inaccessible using Safari or any Chromium-based browser. If for some reason the previous method with the manual addition of the new certificate didn’t work for you and if your Mac cannot upgrade to a higher macOS, this is probably your only remaining option. However, note that while using Firefox is a viable solution for the time being, this may change in the future and your Mac may no longer be able to visit Let’s Encrypt-certified sites.
Thank youy. Finally worked using 10.10.5ae
Thank you thank you thank you!!! I’ve spent so long reading developer notes over the last several weeks trying to get things to work, but even downloading new certificates makes them “untrusted.” These worked! Thank you!!
Thank you so much! It worked on my El Capitan IOS
Many thanks! It works on my MacBook (13-inch, Aluminum, Late 2008). I appreciate it! thanks again from Argentina
It works! I’ve been looking for solution for weeks and finally found article you wrote minutes ago. Thank you
- Jonathan Reynolds
Thanks, this was perfectly explained, and worked for me. I only arrived at your page after spending a whole day figuring out that the reason my old iMac would no longer load some/many web pages was to do with a root certificate. So you might want to add the words of typical Safari error messages so that others find your excellent solution more quickly. Thanks again.
- RH Hilling
Thank you, a lot – it’s like getting your life back. We can know use the computer again. MacBook Pro 10.10.5.
- Jon W
Many thanks! You’ve ended hours of searching for a solution. I am on an old 2010 Mac Pro that could not be upgraded past Mac OS X 10.11 and can now finally reach Wikipedia and many other sites again with no problem.
Problème résolu sur mon Early 20″ de 2008 sous El Capitan 10.11.6
Milles merci pour ce tuto explicatif
Other than that, thanks for writing this, it was very helpful!
What about on iOS?? The same trick does not work there.
- Harry Xia
- Doreen Dari MacLellan
Thank you JP. More again soon. dr.10.16.
Harry happy to hear it worked. Why did it take you five months to respond?
Why does the certificate go in System, rather than System Roots?
I can’t thank you enough for this thorough and well explained solution. I’ve spent days researching if my problem was my router, firewall, extensions, browser, etc. You just saved me precious time and my sanity. THANK YOU!!!!!!
- ted Haenga
thankyou heaps legend!!! <3
I have been searching for an answer for months… thank you so much! The ISGR root cert works like a charm. People like you make this world go round. Best!
Seriously, THANK YOU SOOOOOOO MUCH!!!!!!! BLESS YOU. Hope you have a lovely day. From MUNICH!!!!
Thank you! –the actual solution to the problem, which actually works. unlike all those “have you tried turning it off and on again” internet experts out there advising everything from running anti-vrus software to clearing your browser’s cache.
What is it with the internet that compels people who don’t know what they’re talking about, to offer advice?
- Deuce Sanders
I got to the part where it says “click on this link to download the ISGR Root X1…”and guess what??? I get “this connection is not secure”. What next???
You are the best! Thank you SO much!
thanks, worked for me!
- O Ben
THANK YOU SO MUCH!!!!! Ive been struggling with this for weeks!! Installed the new certificate and it works perfectly now.
Thanks, worked on my old 2008 imac.
OMG thank you, 2012 Mac Mini resurrected. Do you have a current PayPal donation link?
Thank you so much
Worked like a charm on MacBook 2010 (unibody, running El Cap)
- Jessica Marques
Thank you! This solved all the issues I was having! Including getting Design space for my cricut to work!
- Jeff Nielson
DOWNLOADING INSTALLING AND SETTING THE NEW SECURITY CERTIFICATE FOR GOOGLE CHROME ON EL CAPITAN
This worked 100% on my 2008 Mac Pro Tower running El Capitan, which is extremely fast and reliable for its age, but I cannot install Sierra on it.
Find the newest of this file link (first on the page)…
“Signed by ISRG Root X1: der, pem, txt”
Click on pem to download the correct one.
(I have my browser set to always download to the Desktop so I can quickly find the stuff I just downloaded, and I put it where it goes later).
Open Keychain Utility in the Applications > Utilities folder
Enter your password every time asked.
Click System (upper left)
Drag the new Security Certificate from the Desktop into the Security page in the open Keychain Window.
Double click on the new Security Certificate.
Click the little arrow next to “Trust” at the top to expand it.
Choose “Always Trust” in the menu next to
“When using this certificate:”
You can choose “Always Trust” because it literally just came from the website of the company that creates the Trusted Certificates.
- Thomas Schmid
My friend got a “MacBook Pro late 2008“ from her son in summer.
The 89 years young lady requested me to help her with the odd error message her in Google Chrome browser. Thanks to this ‘how to’ the lady is happy again.
I found Ms Martina Nikolova’s tutorial very well written, easy to follow, almost fool proof. Thank you very much, danke schön, děkuju.
This was absolutely brilliant. Thank you mate!
Finally a solution!
Wish I had found you first!
Bella Martì, grazie.
THANK YOU! THANK YOU! THANK YOU! I’ve been searching FOREVER on how to fix this issue! I have an OS X El Capitan 10.11.6 and I thought I would never be able to use my laptop without “your connection is not private” and I can now return to sites I haven’t been able to see since it started popping up! I’m so happy, I could cry! THANK YOU!!
God bless you dear. this post literally saved my old mac from junk
- Rosie Parker
Thank you so much! Since September I have been so angry with my Mac and wanting to throw it out the window, and you’ve saved it! MUCH appreciated. <3
Hello, thank you for the informative article! I wonder though, what if after installing and managing to browse again the internet, we are displayed ads that open new pages without our interacting on some objects hyperlink or other element that might redirect us? It’s happening since a couple of days, since I installed the der certificate from letsencrypt.org. I’d love to hear your opinion and if anyone else is encountering this nuisance
Thanks!!! It works absolutely fine!
Nothing else that I tried worked except from this!
- Louie Pelaez
You just breathed new life straight into my perfectly good computer. Thanks so much.
I didn’t believe in God before today… but you my friend are one omnipotent being and I salute you!
Thank you very much, finally my mac back to normal
Thank you so much for this fix and info!
- Kat Spaw
Oh my goodness, THANK YOU!! I tried everything I could come across to fix the issue with Adobe Digital Editions that I had, and finally someone linked to your web page, and that made all the difference! I’m so relieved! You rock! <3
- Paulo Santos
Thank You From Brazil – My El Capitan’s is working now!
- Jocelyn Whitener
Thank you so very much! I am bookmarking your link so I can return with a donation! Have a Blessed Day!
Thank you so much for all your help! Really appreciate it.
Recommend edit to reconcile macos versions and their names. Sierra = 10.12, High Sierra = 10.13
thank you thank you thank you!!! been having this issue for a year now. you saved me!
This worked! On iMac OSxYosemite 10.10.5 (late 2014). Thank you so much!
100 times: Thank YOU!