I cannot access Wikipedia on both my Macs. macOS says that the intermediate certificate used to sign Wikipedia’s certificate (GlobalSign Organization Validation CA - SHA256 - G2
) has been revoked.
I don’t believe that the certificate in question has been revoked, so I checked manually GlobalSign’s CRL and OCSP service and both tell me that the certificate is OK.
Are there other sources of CRLs that macOS can potentially use? Is there a way to ask Security Framework to tell me what exactly is wrong with the certificate in its opinion?
Best Answer
I tried
crlrefresh rp
and also manually deleting the OCSP cache withsudo rm /var/db/crls/*cache.db
as documented by GlobalSign.However, the cache seems to be in a different location on macOS 10.12 Sierra. The following command worked for me and resolved the problem:
I also tried deleting the whole database, but it does not seem to come back automatically.
If unsure, better just restore
~/Library/Keychains/*/ocspcache.sqlite3*
(including-shm
and-wal
) from a backup before the OCSP servers started to give wrong replies, for example from yesterday.