MacOS – Updating SSL root certs on old Mac (running Lion)

macosSecurityssl

My father-in-law reported an "Invalid SSL certificate" suddenly started appearing on his online banking website.

After verifying it's not a website issue (it loads correctly on other computers), I understood that the root certificate of the website certificate is not being trusted probably because too new and the Mac is not being updated anymore.

Is my understanding correct?
If yes, is there a safe way to download new root certificates that are being added to recent Macs?

Best Answer

Inspecting the certificate at https://www.intesasanpaolo.com, you can see that it uses the root certificate Chambers of Commerce Root - 2008. Upon inspecting the System Roots in Keychain Access on a Mac running Mac OS X Lion, this root certificate is trusted by the OS by default. This means that Safari should properly trust this website without prompting about an "Invalid SSL certificate".

I would first verify that you see this certificate in the System Roots and that it has not been accidentally set to Never Trust.

You can also securely obtain the root certificate used by this website at https://www.camerfirma.com/clavespublicas. You specifically need the certificate

Chambers of Comerce ROOT - 2008 -> SHA1 78 6a 74 ac 76 ab 14 7f 9c 6a 30 50 ba 9e a8 7e fe 9a ce 3c

Direct Link

When you open this certificate, you can select to install it to the System keychain. This should allow Safari to properly trust the SSL on that website.

Generate a host key

First, make a home for the new SSL files. I use /etc/apache2/ssl. Open up a terminal window, cd to the new directory and issue the following command to create a host key file.

sudo ssh-keygen -f host.key

Generate a certificate request file

This command create a certificate request file. A certificate request file contains information about your organization that will be used in the SSL certificate.

sudo openssl req -new -key host.key -out request.csr

Create the SSL certificate

Create a self signed SSL certificate using the request file.

sudo openssl x509 -req -days 365 -in request.csr -signkey host.key -out server.crt

Configure Apache

Create a backup of /etc/apache2/httpd.conf.

Append the contents of /etc/apache2/extra/httpd-ssl.conf to /etc/apache2/httpd.conf.

In /etc/apache2/httpd.conf, make sure the loading of SSL is enabled (remove the #)

LoadModule ssl_module libexec/apache2/mod_ssl.so

Also, edit SSL section to use the new certificate.

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/host.key

Check the config and restart Apache to try the new certificate.

sudo apachectl configtest
sudo apachectl restart

Thanks to the House of Ding and Matt Langtree for providing much of this solution.

IPad Mail client – IMAP with X.509 client certificates

The question appears to be specific to using X.509 for authentication to an IMAP service, which isn't supported by iOS. S/MIME email encryption and signatures can be performed on iOS, but the authentication to mail services will still use username/password over SSL or TLS.

Best Answer

Related Solutions

MacOS – Configuring SSL with Apache under Lion

Generate a host key

Generate a certificate request file

Create the SSL certificate

Configure Apache

IPad Mail client – IMAP with X.509 client certificates

Related Question