MacOS – How to tell why macOS thinks that a certificate is revoked

certificatekeychainmacosSecurity

I cannot access Wikipedia on both my Macs. macOS says that the intermediate certificate used to sign Wikipedia’s certificate (GlobalSign Organization Validation CA - SHA256 - G2) has been revoked.

I don’t believe that the certificate in question has been revoked, so I checked manually GlobalSign’s CRL and OCSP service and both tell me that the certificate is OK.

Are there other sources of CRLs that macOS can potentially use? Is there a way to ask Security Framework to tell me what exactly is wrong with the certificate in its opinion?

Best Answer

I tried crlrefresh rp and also manually deleting the OCSP cache with sudo rm /var/db/crls/*cache.db as documented by GlobalSign.

However, the cache seems to be in a different location on macOS 10.12 Sierra. The following command worked for me and resolved the problem:

$ sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM responses WHERE responderURI LIKE "%http://%.globalsign.com/%";'

I also tried deleting the whole database, but it does not seem to come back automatically.

If unsure, better just restore ~/Library/Keychains/*/ocspcache.sqlite3* (including -shm and -wal) from a backup before the OCSP servers started to give wrong replies, for example from yesterday.

Best Answer

Related Solutions

Mac – The deleted certificate will be restored after rebooting. But why

MacOS – AlphaSSL intermediate CA certificate revoked

Related Question