Prior to the security update released early April my system was working fine. After that, I'm getting invalid certificates everywhere:
- iTunes says "iTunes can’t verify the identity of the server “init.itunes.apple.com”." and "iTunes can’t verify the identity of the server “xp.apple.com”." when I open it.
- Chrome gives me warnings for many https sites (e.g. Google is fine, Twitter isn't).
- Most importantly I can't connect to the App Store anymore, which I was planning to do to upgrade to Yosemite given that Apple decided to not fix one of the security vulnerabilities for the previous versions.
I checked my certificates in the Keychain Access and I don't see anything wrong with them. I've also tried deleting some files related to certificate caches as I've seen mentioned somewhere else, but it didn't help either.
I'm using OS X 10.9.5 in a MacBook Air, Late 2012.
Update
This problem also applies to some systems updated from OS X 10.10 Yosemite to OS X 10.11.1 (15B42) El Capitan.
Best Answer
The reason:
After installing Security Update 2015-004, multiple users found that they couldn't browse to any website using the root certificate "VeriSign Class 3 Public Primary Certification Authority - G5" without a security warning ("invalid certificate"). 2015-004 updated the list of trusted root CAs, and for a reason I'm still unclear about, many of us have an identical entry in our Login Keychain. The certificate name is the same, but the serial number is wrong. The conflict causes the problem.
The solution:
Open Keychain, and look up your Login Certificates. Export any Verisign certificates (as a backup), and then delete them. Restart your browser.
I had the same issue and asked it in https://security.stackexchange.com/questions/85830/why-is-symantec-verisign-ca-appearing-as-an-invalid-authority .
You can see a full discussion in https://discussions.apple.com/thread/6984765