Mac Research Security and Tutorials

DST Root CA X3 expired Mac

Martina Nikolova

·

·

About DST Root CA X3 expiration on Mac

DST Root CA X3 expired on Mac is an error that many Mac users have likely started seeing in their browser since the 30th of September. The DST Root CA X3 expired on Mac error prevents users from visiting sites that use Let’s Encrypt certificates.

Recently, many Mac users have started reporting the same problem with their browsers, namely, the appearance of an error message while trying to visit certain sites. The error message shown may vary – “DST Root CA X3 expired” is only one possible error message. Another one is “Your connection is not private” or “Attackers might be trying to steal your information”. Though the error/warning messages that get shown in the browser may differ, the underlying issue stays the same and that is the recent expiration of the widespread DST Root CA X3 certificate, created by the non-profit organization Let’s Encrypt. Many popular sites use this certificate and once it has expired, some (not all) users stopped being able to visit those sites.

The factor that separates Macs that can and Macs that cannot visit those such sites is the macOS version that each machine has. Macs that have macOS 10.12.1 or later should have no problems with the expiration of this certificate. However, if your Mac is still running El Capitan (macOS 10.11) or an older version of macOS, then you have probably started encountering various issues in your browsers that prevent you from reaching the sites you want to visit. 

The core reason for all this is that the currently expired DST Root CA X3 certificate allowed older machines to recognize Let’s Encrypt certificates. However, DST Root CA X3 was created back in 2015 and its expiration date arrived on the 30th of September this year. Past this date, only Macs with macOS versions released after 2015 are able to recognize Let’s Encrypt certificates and visit the sites that use them.

We understand how annoying this could be, especially if you’re using an older machine that cannot get upgraded past El Capitan. In some cases, the expiration of this so important root certificate could mean that an older Mac machine could become nearly unusable for browsing purposes. At the same time, there are many such Macs left around the globe that are used in work environments and so, them becoming obsolete in terms of their ability to browse the Internet could be quite a problem. The good news is there may be some solutions to that issue – at least for the time being. While at a certain point in the future you may end up needing to get a newer machine that can support the latest macOS versions, with the help of the suggested method below, you should be able to restore your Mac’s ability to browse the Internet, and visit the sites you want to reach without encountering the DST Root CA x3 expired Mac error.

DST Root CA X3 expired Mac fix

The DST Root CA X3 expired (Mac) fix is to manually download, install, and “trust” the new ISRG Root X1 certificate on your Mac. An alternative DST Root CA X3 expired (Mac) fix would be to use Firefox, as it has its own certificates list.

Before we get any further, however, it’s important to note that the best fix would still be to simply upgrade your macOS to a version newer than El Capitan (10.11) if that is possible on your Mac. With a newer macOS, the expiration of the Root X3 certificate wouldn’t be a problem. The oldest macOS version that would allow you to visit sites that use Let’s Encrypt certificates and wouldn’t have a problem with the expiration of the Root CA X3 certificate is macOS 10.12.1 (High Sierra). The following Macs are supported for High Sierra and so if your Mac model falls in that list, chances are you should be able to upgrade its macOS.

  • MacBook Pro (2010 and later)
  • MacBook (late 2009 and later)
  • MacBook Air (2010 and later)
  • iMac (late 2009 and later)
  • Mac Pro (2010 and later)
  • Mac Mini (2010 and later)

To upgrade the macOS of your Mac, simply go to the Apple Logo menu, open System Preferences > Software Update, and click the Upgrade Now button that should be available in the next window. Next, follow the on-screen steps and once you are finished, your macOS should be upgraded to the latest version that the computer can support.

Now, for those of you who have a Mac that’s older than the models from the list above, as was already said, the two options you can try to still get your Mac to freely visit sites that use Let’s Encrypt certificates are to either manually set up the newer ISGR Root X1 or to use Mozilla Firefox as your main browser.

Manually installing the ISGR Root X1 certificate

  1. Click on this link to download the ISGR Root X1 certificate and download the file.


  2. Open Spotlight Search by clicking the magnifying glass icon from the menu bar, or by pressing Command + Space bar.
  3. Type Keychain Access in the Spotlight Search and click the first result.
  4. In the Keychain Access app, click on the System (not System Roots!) icon from the top left (under System Keychains), and then drag-and-drop the ISGR Root X1 certificate file that you downloaded (the file should be named isgrootx1.der) into the list of items in the Keychain Access app. Your Admin password will likely be required, so enter it and click Modify Keychain.
  5. Now find the ISGR Root X1 certificate in the Keychain Access app’s System folder, double-click it, and expand the Trust settings.
  6. After that, change the “When using this certificate” setting from “Use System Defaults to “Always Trust”. If you are prompted to provide your password again, do that and confirm the change.

After this, you should hopefully no longer have any problems with accessing sites with Let’s Encrypt certificates.

If my work has been helpful, the following link is only for those who have the means, and want to show their gratitude.

[paypal-donation]

Installing Mozilla Firefox

Firefox is known for using its own certificate list and not the one that comes from Apple/macOS, so using this browser has proven to allow users who have El Capitan or older macOS on their Macs to still access the sites that are otherwise inaccessible using Safari or any Chromium-based browser. If for some reason the previous method with the manual addition of the new certificate didn’t work for you and if your Mac cannot upgrade to a higher macOS, this is probably your only remaining option. However, note that while using Firefox is a viable solution for the time being, this may change in the future and your Mac may no longer be able to visit Let’s Encrypt-certified sites.

Martina Nikolova

Martina likes to get into nitty-gritty of tomorrow’s tech, from product design across to security based solutions. A long time mac user and developer, she has the expertise and strives to give new insight

51 responses to “DST Root CA X3 expired Mac”
  1. George Avatar
    George

    100 times: Thank YOU!

    Reply
    1. emin Avatar
      emin

      10000 ty

      Reply
  2. Alex Avatar
    Alex

    Thank youy. Finally worked using 10.10.5ae

    Reply
  3. Jordan Avatar
    Jordan

    Thank you thank you thank you!!! I’ve spent so long reading developer notes over the last several weeks trying to get things to work, but even downloading new certificates makes them “untrusted.” These worked! Thank you!!

    Reply
  4. JP Avatar
    JP

    Thank you so much! It worked on my El Capitan IOS

    Reply
  5. Esteban Avatar
    Esteban

    Many thanks! It works on my MacBook (13-inch, Aluminum, Late 2008). I appreciate it! thanks again from Argentina

    Reply
  6. Agus Avatar
    Agus

    It works! I’ve been looking for solution for weeks and finally found article you wrote minutes ago. Thank you

    Reply
  7. Jonathan Reynolds Avatar
    Jonathan Reynolds

    Thanks, this was perfectly explained, and worked for me. I only arrived at your page after spending a whole day figuring out that the reason my old iMac would no longer load some/many web pages was to do with a root certificate. So you might want to add the words of typical Safari error messages so that others find your excellent solution more quickly. Thanks again.

    Reply
  8. RH Hilling Avatar
    RH Hilling

    Thank you, a lot – it’s like getting your life back. We can know use the computer again. MacBook Pro 10.10.5.
    Rune H

    Reply
  9. Jon W Avatar
    Jon W

    Many thanks! You’ve ended hours of searching for a solution. I am on an old 2010 Mac Pro that could not be upgraded past Mac OS X 10.11 and can now finally reach Wikipedia and many other sites again with no problem.

    Reply
  10. Eric Avatar
    Eric

    Problème résolu sur mon Early 20″ de 2008 sous El Capitan 10.11.6
    Milles merci pour ce tuto explicatif

    Reply
  11. Wilburt Avatar
    Wilburt

    Other than that, thanks for writing this, it was very helpful!

    Reply
  12. T Avatar
    T

    What about on iOS?? The same trick does not work there.

    Reply
  13. Harry Xia Avatar
    Harry Xia

    Great, works
    Thank you!

    Reply
    1. Doreen Dari MacLellan Avatar
      Doreen Dari MacLellan

      Thank you JP. More again soon. dr.10.16.

      Harry happy to hear it worked. Why did it take you five months to respond?

      Reply
  14. Richard Avatar
    Richard

    Why does the certificate go in System, rather than System Roots?

    Reply
  15. Amy Avatar
    Amy

    I can’t thank you enough for this thorough and well explained solution. I’ve spent days researching if my problem was my router, firewall, extensions, browser, etc. You just saved me precious time and my sanity. THANK YOU!!!!!!

    Reply
  16. ted Haenga Avatar
    ted Haenga

    thankyou heaps legend!!! <3

    Reply
  17. Kerry Avatar
    Kerry

    I have been searching for an answer for months… thank you so much! The ISGR root cert works like a charm. People like you make this world go round. Best!

    Reply
  18. J Avatar
    J

    Seriously, THANK YOU SOOOOOOO MUCH!!!!!!! BLESS YOU. Hope you have a lovely day. From MUNICH!!!!

    Reply
  19. stuzbot Avatar
    stuzbot

    Thank you! –the actual solution to the problem, which actually works. unlike all those “have you tried turning it off and on again” internet experts out there advising everything from running anti-vrus software to clearing your browser’s cache.

    What is it with the internet that compels people who don’t know what they’re talking about, to offer advice?

    Reply
  20. Deuce Sanders Avatar
    Deuce Sanders

    I got to the part where it says “click on this link to download the ISGR Root X1…”and guess what??? I get “this connection is not secure”. What next???

    Reply
  21. Monica Avatar
    Monica

    You are the best! Thank you SO much!

    Reply
  22. gianpa Avatar
    gianpa

    thanks, worked for me!

    Reply
  23. O Ben Avatar
    O Ben

    THANK YOU SO MUCH!!!!! Ive been struggling with this for weeks!! Installed the new certificate and it works perfectly now.

    Reply
  24. russell Avatar
    russell

    Thanks, worked on my old 2008 imac.

    Reply
  25. Mark Avatar
    Mark

    OMG thank you, 2012 Mac Mini resurrected. Do you have a current PayPal donation link?

    Reply
  26. Jalal Avatar
    Jalal

    Thank you so much

    Reply
  27. MG Avatar
    MG

    Worked like a charm on MacBook 2010 (unibody, running El Cap)

    Paypal link?

    Reply
  28. Jessica Marques Avatar
    Jessica Marques

    Thank you! This solved all the issues I was having! Including getting Design space for my cricut to work!

    Reply
  29. Jeff Nielson Avatar
    Jeff Nielson

    DOWNLOADING INSTALLING AND SETTING THE NEW SECURITY CERTIFICATE FOR GOOGLE CHROME ON EL CAPITAN

    This worked 100% on my 2008 Mac Pro Tower running El Capitan, which is extremely fast and reliable for its age, but I cannot install Sierra on it.

    Instructions

    Go to
    https://letsencrypt.org/certificates /

    Find the newest of this file link (first on the page)…
    “Signed by ISRG Root X1: der, pem, txt”
    Click on pem to download the correct one.

    (I have my browser set to always download to the Desktop so I can quickly find the stuff I just downloaded, and I put it where it goes later).

    Open Keychain Utility in the Applications > Utilities folder

    Enter your password every time asked.

    Click System (upper left)

    Drag the new Security Certificate from the Desktop into the Security page in the open Keychain Window.

    Double click on the new Security Certificate.

    Click the little arrow next to “Trust” at the top to expand it.

    Choose “Always Trust” in the menu next to
    “When using this certificate:”

    You can choose “Always Trust” because it literally just came from the website of the company that creates the Trusted Certificates.

    Reply
  30. Thomas Schmid Avatar
    Thomas Schmid

    My friend got a “MacBook Pro late 2008“ from her son in summer.
    The 89 years young lady requested me to help her with the odd error message her in Google Chrome browser. Thanks to this ‘how to’ the lady is happy again.
    I found Ms Martina Nikolova’s tutorial very well written, easy to follow, almost fool proof. Thank you very much, danke schön, děkuju.

    Reply
  31. Der_Perkster Avatar
    Der_Perkster

    This was absolutely brilliant. Thank you mate!

    Reply
  32. Nemesis Avatar
    Nemesis

    Amazing!
    Finally a solution!
    Wish I had found you first!

    Reply
  33. Massimo Avatar
    Massimo

    Bella Martì, grazie.

    Reply
  34. Elizabeth Avatar
    Elizabeth

    THANK YOU! THANK YOU! THANK YOU! I’ve been searching FOREVER on how to fix this issue! I have an OS X El Capitan 10.11.6 and I thought I would never be able to use my laptop without “your connection is not private” and I can now return to sites I haven’t been able to see since it started popping up! I’m so happy, I could cry! THANK YOU!!

    Reply
  35. Edward Avatar
    Edward

    God bless you dear. this post literally saved my old mac from junk

    Reply
  36. Rosie Parker Avatar
    Rosie Parker

    Thank you so much! Since September I have been so angry with my Mac and wanting to throw it out the window, and you’ve saved it! MUCH appreciated. <3

    Reply
  37. luca Avatar
    luca

    Hello, thank you for the informative article! I wonder though, what if after installing and managing to browse again the internet, we are displayed ads that open new pages without our interacting on some objects hyperlink or other element that might redirect us? It’s happening since a couple of days, since I installed the der certificate from letsencrypt.org. I’d love to hear your opinion and if anyone else is encountering this nuisance

    Looking forward,
    Luca

    Reply
  38. Giorgos Avatar
    Giorgos

    Thanks!!! It works absolutely fine!
    Nothing else that I tried worked except from this!

    Reply
  39. Louie Pelaez Avatar
    Louie Pelaez

    You just breathed new life straight into my perfectly good computer. Thanks so much.

    Reply
  40. Jesus Avatar
    Jesus

    I didn’t believe in God before today… but you my friend are one omnipotent being and I salute you!

    Reply
  41. DNE Avatar
    DNE

    Thank you very much, finally my mac back to normal

    Reply
  42. Jeremy Avatar
    Jeremy

    Thank you so much for this fix and info!

    Reply
  43. Kat Spaw Avatar
    Kat Spaw

    Oh my goodness, THANK YOU!! I tried everything I could come across to fix the issue with Adobe Digital Editions that I had, and finally someone linked to your web page, and that made all the difference! I’m so relieved! You rock! <3

    Reply
  44. Paulo Santos Avatar
    Paulo Santos

    Thank You From Brazil – My El Capitan’s is working now!

    Reply
  45. Jocelyn Whitener Avatar
    Jocelyn Whitener

    Thank you so very much! I am bookmarking your link so I can return with a donation! Have a Blessed Day!

    Reply
  46. Jimmy Avatar
    Jimmy

    Thank you so much for all your help! Really appreciate it.

    Reply
  47. Rob Avatar
    Rob

    Recommend edit to reconcile macos versions and their names. Sierra = 10.12, High Sierra = 10.13

    Reply
  48. ED Avatar
    ED

    thank you thank you thank you!!! been having this issue for a year now. you saved me!

    Reply
  49. ABA Avatar
    ABA

    This worked! On iMac OSxYosemite 10.10.5 (late 2014). Thank you so much!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *