The latest Mac OSX El Capitan looks great! However, one of the Annoy things is since it updates all certificate root, it always gets problem in accessing internet, even for Apple’s own service, like, iTunes, etc.

The root cause of this is the new certificate root that El Capitan ships do not match all the current certificate roots. If you check the SSL error in Chrome, you can probably see this:

chrome untrusted certificate

To fix it, you need to import the “old” certificate root which is missing here.

As shown above, the certificate root “VeriSign Class 3 Public Primary Certification Authority – G5” (expired in 2021) is missing. If you double check the current certificate root in El Capitan, you will see the current one expires in 2036.

new certificate root in El Capitan

Here is the way to fix it:

Open this link in Safari. And you will need to temporarily add the SSL of this link as trusted.

  • Download the attachment Symc_Cross_Root.txt and rename it to Symc_Cross_Root.cer.
  • Open Keychain Access and choose System and category Certificate.
  • From the menu bar, choose File > Import Items.
  • Import Symc_Cross_Root.cer. And you should see the “new” certificate root “VeriSign Class 3 Public Primary Certificate Authority – G5” added.
  • Double click this certificate. From the certificate information window, click the arrow by “Trust”.
  • Select Always Trustfor the dropdown “When using this certificate”.
  • The certificate should have a blue + icon.

Keychain Access new Certificate Root

OK, now you are free to go.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>