Fix persistent invalid certificate errors in OS X

CertificateIconXWhen connecting to various online services, your Mac will use certificates to validate a connection. If a certificate being used for a connection is expired or invalid, then OS X will notify you of this when attempting to use it, and offer you the choice of continuing with the connection, inspecting the certificate, or canceling the connection. Such warnings are convenient for detecting an invalid connection, such as one that might be malicious, so if they happen then consider looking into them; however, there may be times when practically every connection you attempt gives you a certificate warning.

When this happens, it suggests a problem with your certificate configuration, more than a problem with the connections at hand, and this may happen for several reasons, which can usually be fixed by one of the following approaches:

1. Check your date and time

Certificate authentication requires your Mac’s time be in sync with the server you are connecting to, so if for some reason your Mac’s time is off, then you may get these errors. To fix this, go to the Date & Time system preferences, and ensure the option to “Set date and time automatically” is checked (click the lock to authenticate if this option is grayed out). Be sure the time server used is one that is appropriate for your location, and then close the system preferences. Within a few moments, OS X should adjust your system clock, which should clear the certificate errors.

Date & Time settings in OS X

Whenever you have certificate and authentication errors, be sure your system’s clock is accurate. You can ensure this is always the case by using a dedicated time server for your system.

2. Change trust settings for specific certificates

If this is happening only for specific certificates, and you trust that the service you are connecting to, then you can modify the trust settings for the certificate to allow the authentication to proceed. To do this, open the Keychain Access utility (in the Applications > Utilities folder), and select your login keychain. In here, click the Certificates category, and then locate the certificate for the service you are connecting to. You can do this by searching for the domain name of the service, or by sorting the certificates by name and scrolling through them.

If a certificate has a red “X” symbol on its icon, then this means the certificate has expired or is otherwise invalid. In these cases, you can right-click the certificate and remove it from your system. If the connection requires one, then it will be downloaded from the service again the next time you connect and authenticate.

Certificate trust settings in the OS X Keychain

Start by choosing this option to remove custom trust settings for your certificate, but also consider adjusting specific trust settings that pertain to your connection.

If the certificate has a blue plus symbol, then this indicates custom trust settings for the certificate, which may be the reason for the faults you are experiencing. For instance, a certificate may be used for SSL validation, but if this trust setting is not set up properly, then OS X will prompt you to use this certificate every time an SSL connection attempts to use it. Fixing this requires adjustment of the trust settings for the certificate:

  1. Double-click the certificate in Keychain Access to open it
  2. Expand the “Trust” settings section
  3. Choose “Use System Defaults” from the top-most menu

The system defaults setting should have the certificate used for the appropriate connections on demand; however, you can also attempt to manually adjust the custom trust settings for the certificate. For instance, if you get this certificate error only when using a Kerberos single sign-on password, you might choose “Always Trust” for the Kerberos Client trust setting. You can try similar options for the other trust settings, but only enable those that the certificate is specifically used for.

3. Reset your keychain

Finally, you can take steps to reset your Mac’s keychain certificates. While you should not need to clear your entire keychain and set it up from scratch again, you can select and remove the certificates that are mentioned by these errors. Doing so will have the system re-download new certificates for connections that demand them, potentially overcome configuration errors in the prior certificates. Note that you should only do this for your account’s login keychain. There is a special keychain called “System Roots” that contains a number of certificates. These are public certificates issued by numerous trusted certification authorities, and are used to validate certificates issued by online services to which you connect. Removing or modifying these will break your ability to validate connections, so it is best to leave these alone.

2 thoughts on “Fix persistent invalid certificate errors in OS X

  1. Michael Schmitt

    Don’t forget the simple explanation: the site has made changes to the domains it uses, but the web browser has cached obsolete pages.

    So step 0 should be to clear the browser cache. On Safari you can do this from the Debug menu.

Comments are closed.