SOLVED Root certificate is not trusted

[DanL]

So I went into Keychain access and had to set a certificate to "Always Trust" in order to avoid getting errors on some software. This is an old machine (2011 MacBook Pro), running Mountain Lion. I noticed there that the mycomputer.local cert is labelled as "This root certificate is not trusted" in red letters. Ouch? Sounds important. What exactly does that mean? That cert is set to Trust "Using System Defaults". I could just set it to "Always Trust" which makes that red lettered error go away. To the extent that that cert is not trusted, what difference should that make to me? Everything is going fine with the machine, otherwise.

 

[Cory Cooper]

Hello,

Old certificates that are expired/show as untrusted are becoming more common in older Macs and versions of OS X/macOS. The only real way to correc the issue is to update to a newer version of macOS, mainly High Sierra or later. Most users notice this when browsing the Internet/accessing email/messaging/etc., as these older certificates and versions of things like TLS will not allow loading of some sites, especially those that require an HTTPS connection. Transport Layer Security (TLS), which is the successor to Secure Sockets Layer (SSL), ans TLS 1.1 was deprecated by most web sites/browsers in 2020.

Hope that helps.

C

 

[DanL]

Thank you. But what I'm trying to understand is what purpose do these serve? And what purpose are they not going to serve if I allow them to "Always Trust"? Is this a security issue for me, or for someone else?

 

[maw_walker]

I am guessing here but these certificates may be part of the machine authentication/trust to Apple, like updates or iCloud for instance. Those connections are secure and in order to secure them, certificates are needed. I don't have any direct experience with these certificates, just assuming that is what they are for. Cory is spot on for the other certificates though: as machines age and Apple decides not to update the installed third party certificates, you may get browser errors when navigating to web sites.

On Monterey, I don't have a "my computer.local" certificate but I do have under "system keychains" 2 certificates: "com.apple.kerberos.kdc" and "com.apple.systemdefault". I also have a "system roots" section which is all of the third party root certificates Cory mentioned above.

Not sure if any of that is helpful!

 

[DanL]

That's useful information, but I'll ask again - what purpose are they not going to serve if I allow them to "Always Trust"? Is this a security issue for me, or for someone else? Who's going to do what to me if I "Always Trust"? What exactly are the certificates protecting?

 

[cerniuk]

The “always trust” enables you to manually verify (your decision) the certificate rather than having a series of certificates leading from the web site all the way through the vendor that sells them to the trusted “root”.

Normally the “Root” certificates are loaded by Apple to the keychain system and in a sense they say “we trust these for you”. In this case you are saying “ok, I trust this” instead because the “Root” you have expired and Apple is no longer updating it through “security updates”.

As long as you have a clue as to what you are doing and don’t just press the “trust” to get past it and ignore the information presented, you are good. A general rule is to look at the cert and see if the “domain” matches the link you see in the browser.

 

[DanL]

The “always trust” enables you to manually verify (your decision) the certificate rather than having a series of certificates leading from the web site all the way through the vendor that sells them to the trusted “root”.

Normally the “Root” certificates are loaded by Apple to the keychain system and in a sense they say “we trust these for you”. In this case you are saying “ok, I trust this” instead because the “Root” you have expired and Apple is no longer updating it through “security updates”.

As long as you have a clue as to what you are doing and don’t just press the “trust” to get past it and ignore the information presented, you are good. A general rule is to look at the cert and see if the “domain” matches the link you see in the browser.

Thanks, that's very helpful. Manual verification and matching the link would work fine.