After installing the most recent security and Safari updates (7.1.5) on Mavericks, Safari and other applications (those using NSURLConnection/CFURLConnection) no longer recognize any root certificates as valid. The root certificates in the System Roots keychain seem to be fine, as far as Keychain Access is concerned. However, Safari, iTunes, Chrome, etc. fail to validate all root certificates ("This certificate was signed by an unknown authority"). Already tried deleting the /var/db/crls/crlcache.db and /var/db/crls/ocspcache.db to no effect. System time is correct. Any ideas?
Safari, iTunes, Chrome etc. won’t recognize root certificates after recent update to Safari 7.1.5 (Mavericks)
certificatekeychainsafariSecurity
Related Solutions
Every site I check that I have manually set as untrusted shows a warning. Perhaps things are changing on the servers so rapidly, different people doing the same actions are seeing different results.
Let's set aside the concept of blacklisting in general and certificate revocation like (CRL) or online verification like OCSP and just pick apart the mechanism of SSL certificates in the browser. I will set aside Chrome/Firefox/other browsers and just focus on Safari and the Mac Keychain as that's trouble enough for this post.
The short answer is the site you list doesn't depend on the one certificate that was used in a way that has caused the press to run all the blacklist stories.
It was used to sign certificates that matched anything ending in google.com and they were spotted in use on sites that were certainly not google. This is a technological equivalent to someone constructing tunnels into a bank vault. Not plans to tunnel - but a working actual tunnel around a barrier everyone expected to be solid.
Now onto how to know why Safari didn't flag the site you listed as "bad".
I haven't deleted any certificates from the mac I'm on and just fired up the Keychain Assistant to use the Certificate Assistant (under the Keychain Access menu -> Certification Assistant -> Open...
In the small CA window, select continue, then View and Evaluate, then View and evaluate certificates, then continue.
As you can now see, https://as.digid.nl/ is serving up four certificates in the chain of trust:
- cert name - type - SHA1 fingerprint - status
- as.digid.nl - SSL - 2D F7 4E 54 00 90 80 08 01 0A 2F 3E 5A EE BE 36 5F EC 82 F3 - invalid due to host name mismatch (harmless error - the tool evaluates that cert for your mac and my mac isn't as.digid.nl)
- DigiNotar PKIoverheid CA Overheid en Bedrijven - intermediate - 40 AA 38 73 1B D1 89 F9 CD B5 B9 DC 35 E2 13 6F 38 77 7A F4 - valid
- Staat der Nederlanden Overheid CA - intermediate - 29 FC 35 D4 CD 2F 71 7C B7 32 7F 82 2A 56 0C C4 D2 E4 43 7C - valid
- Staat der Nederlanden Root CA - root - 10 1D FA 3F D5 0B CB BB 9B B5 60 0C 19 55 A4 1A F4 73 3A 04 - valid
In your question you stated you deleted the root key - if so, your safari is either cacheing the old values or when you looked, that site had a SSL certificate different than the one I saw making this answer. You'll have to reproduce the steps I just took to see which was the case.
In my case, I only had to mark the Staat der Nederlanden Root CA root certificate as untrusted to get Safari to balk and show this message when you load the site.
Since all the press is specific about only the DigiNotar Root CA as being bad, I am going to undo my change to not trust the Staat der Nederlanden Root CA.
I am going to mark the DigiNotar Root CA as never to be trusted and wait and see what Apple does. If you are interested in this sort of thing, do monitor the Apple Security page.
The answer, as discovered by shizmob, is that Apple moved the location of this preference in Maverics to /Library/Preferences/com.apple.security. So what you need to run is
sudo defaults write /Library/Preferences/com.apple.security RSAMaxKeySize -int 8192
Related Question
- MacOS – Can’t set own self-signed root certificate to “Always Trust” on macOS Sierra
- How to replace missing root and intermediate certificates in Mac OS X v10.8
- Why is the Turkish Government in the computer
- “Unknown Error = -2,147,414,007” on creating certificate with Certificate Assistant
- How to clear SSL leaf certificates mappings to particular domains
- Why are these corporate certificates pre-installed and is it safe to delete/“Never Trust” most/all of them
Best Answer
Were able to solve the issue myself. For some reason, there were a few root certificates in my login Keychain, which have been revoked and replaced with newer certs in the System Roots keychain. Deleted those certs from my login keychain and everything works fine again.