By Dan Moren
January 25, 2017 1:33 PM PT
Quick Tip: Fixing expired GlobalSign certificates
For a few weeks now I’ve been getting security errors on my iMac when visiting a few different sites, with Safari telling me that the SSL certificate for the site has been revoked. Puzzled by this, I noticed that although the problem was also occurring on Chrome on my iMac, I wasn’t encountering a similar issue on my MacBook Air, or any of my iOS devices.
I was ready to chalk it up to an issue with a single site until earlier today, when I loaded up XKCD and noticed that it was giving me the certificate expired error. Given the proprietor’s well-known tech savvy and security consciousness, I figured the problem was almost certainly on my end. So, away I went in search of a solution.
The certificates in question all seemed to be issued by a company called GlobalSign—and really, I should have started my investigations there, but I kind of came at this the long way round. 1
The reason for the errors, as it turns out, is that GlobalSign had an issue with certificates being erroneously revoked, but for some reason my iMac failed to clean one of its caches and get fresh certificates.
Eventually I located a support doc on GlobalSign’s site, which lays out how to fix the problem with a little command-line action.
First, you’ll want to make a backup, just in case: I duplicated the entire
~/Library/Keychains folder to be on the safe side.
Then, fire up Terminal and run this command:
sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM ocsp;'
That’ll wipe the old certificate data from all the caches. Relaunch your web browsers and load up the old sites, and voilà! No more certificate errors.
Said long way round included trying to repair my Keychain, only to remember that macOS Sierra removed the Keychain First Aid option; then running First Aid on my startup disk as a replacement, only to realize that though I did apparently have issues on the disk, I couldn’t repair it while I was booted on it; followed by booting into recovery mode and finding my boot disk grayed out, which reminded me that a File Vault disk needs to be manually mounted…and on and on. ↩
[If you appreciate articles like this one, help us continue doing Six Colors (and get some fun benefits) by becoming a Six Colors subscriber.]