About DST Root CA X3 expiration on Mac

DST Root CA X3 expired on Mac is an error that many Mac users have likely started seeing in their browser since the 30th of September. The DST Root CA X3 expired on Mac error prevents users from visiting sites that use Let’s Encrypt certificates.

Recently, many Mac users have started reporting the same problem with their browsers, namely, the appearance of an error message while trying to visit certain sites. The error message shown may vary – “DST Root CA X3 expired” is only one possible error message. Another one is “Your connection is not private” or “Attackers might be trying to steal your information”. Though the error/warning messages that get shown in the browser may differ, the underlying issue stays the same and that is the recent expiration of the widespread DST Root CA X3 certificate, created by the non-profit organization Let’s Encrypt. Many popular sites use this certificate and once it has expired, some (not all) users stopped being able to visit those sites.

The factor that separates Macs that can and Macs that cannot visit those such sites is the macOS version that each machine has. Macs that have macOS 10.12.1 or later should have no problems with the expiration of this certificate. However, if your Mac is still running El Capitan (macOS 10.11) or an older version of macOS, then you have probably started encountering various issues in your browsers that prevent you from reaching the sites you want to visit. 

The core reason for all this is that the currently expired DST Root CA X3 certificate allowed older machines to recognize Let’s Encrypt certificates. However, DST Root CA X3 was created back in 2015 and its expiration date arrived on the 30th of September this year. Past this date, only Macs with macOS versions released after 2015 are able to recognize Let’s Encrypt certificates and visit the sites that use them.

We understand how annoying this could be, especially if you’re using an older machine that cannot get upgraded past El Capitan. In some cases, the expiration of this so important root certificate could mean that an older Mac machine could become nearly unusable for browsing purposes. At the same time, there are many such Macs left around the globe that are used in work environments and so, them becoming obsolete in terms of their ability to browse the Internet could be quite a problem. The good news is there may be some solutions to that issue – at least for the time being. While at a certain point in the future you may end up needing to get a newer machine that can support the latest macOS versions, with the help of the suggested method below, you should be able to restore your Mac’s ability to browse the Internet, and visit the sites you want to reach without encountering the DST Root CA x3 expired Mac error.

DST Root CA X3 expired Mac fix

The DST Root CA X3 expired (Mac) fix is to manually download, install, and “trust” the new ISRG Root X1 certificate on your Mac. An alternative DST Root CA X3 expired (Mac) fix would be to use Firefox, as it has its own certificates list.

Before we get any further, however, it’s important to note that the best fix would still be to simply upgrade your macOS to a version newer than El Capitan (10.11) if that is possible on your Mac. With a newer macOS, the expiration of the Root X3 certificate wouldn’t be a problem. The oldest macOS version that would allow you to visit sites that use Let’s Encrypt certificates and wouldn’t have a problem with the expiration of the Root CA X3 certificate is macOS 10.12.1 (High Sierra). The following Macs are supported for High Sierra and so if your Mac model falls in that list, chances are you should be able to upgrade its macOS.

  • MacBook Pro (2010 and later)
  • MacBook (late 2009 and later)
  • MacBook Air (2010 and later)
  • iMac (late 2009 and later)
  • Mac Pro (2010 and later)
  • Mac Mini (2010 and later)

To upgrade the macOS of your Mac, simply go to the Apple Logo menu, open System Preferences > Software Update, and click the Upgrade Now button that should be available in the next window. Next, follow the on-screen steps and once you are finished, your macOS should be upgraded to the latest version that the computer can support.

Now, for those of you who have a Mac that’s older than the models from the list above, as was already said, the two options you can try to still get your Mac to freely visit sites that use Let’s Encrypt certificates are to either manually set up the newer ISGR Root X1 or to use Mozilla Firefox as your main browser.

Manually installing the ISGR Root X1 certificate

  1. Click on this link to download the ISGR Root X1 certificate and download the file.

  2. Open Spotlight Search by clicking the magnifying glass icon from the menu bar, or by pressing Command + Space bar.
  3. Type Keychain Access in the Spotlight Search and click the first result.
  4. In the Keychain Access app, click on the System (not System Roots!) icon from the top left (under System Keychains), and then drag-and-drop the ISGR Root X1 certificate file that you downloaded (the file should be named isgrootx1.der) into the list of items in the Keychain Access app. Your Admin password will likely be required, so enter it and click Modify Keychain.
  5. Now find the ISGR Root X1 certificate in the Keychain Access app’s System folder, double-click it, and expand the Trust settings.
  6. After that, change the “When using this certificate” setting from “Use System Defaults to “Always Trust”. If you are prompted to provide your password again, do that and confirm the change.

After this, you should hopefully no longer have any problems with accessing sites with Let’s Encrypt certificates.

If my work has been helpful, the following link is only for those who have the means, and want to show their gratitude.

Installing Mozilla Firefox

Firefox is known for using its own certificate list and not the one that comes from Apple/macOS, so using this browser has proven to allow users who have El Capitan or older macOS on their Macs to still access the sites that are otherwise inaccessible using Safari or any Chromium-based browser. If for some reason the previous method with the manual addition of the new certificate didn’t work for you and if your Mac cannot upgrade to a higher macOS, this is probably your only remaining option. However, note that while using Firefox is a viable solution for the time being, this may change in the future and your Mac may no longer be able to visit Let’s Encrypt-certified sites.