
A Fix for SSL Certificate Problems on Mac OSX Lion
After doing a reinstall of Lion a few weeks ago, I found that my computer suddenly would reject every VeriSign certificate that it encountered. Using Chrome, that meant that I couldn’t even access Twitter.com, because it thought that the certificate was wrong. I couldn’t login to the Apple developer portal, I couldn’t authenticate a device with XCode, I couldn’t make a purchase at Apple.com, I couldn’t download updates from the Mac App Store, and I couldn’t login to Mint.com, among other sites. I essentially couldn’t do anything that used a VeriSign certificate for SSL.
What did I do? I called my trusty AppleCare advisor, hoping for an answer. I thought that maybe they could help me figure it out. After getting to senior support, I was told to reinstall Lion, which I did to no avail. My case was then forwarded to the Apple engineering team, with 3 to 5 days to wait until I had an answer. I looked around, through my console logs and through Keychain access, and finally came up with an answer, and a solution to my problems.
It turned out that my solution was pretty simple. I had to delete a few files and reset one to its default setting.
- Delete the files /var/db/crls/crlcache.db and /var/db/crls/ocspcache.db. These can be found using Finder’s Go >; Go To Folder menu (Cmd + Shift + G). This resets the cache of accepted certificates in the system. It doesn’t remove them, it just forces the system to rebuild the caches upon restart.
- Open Keychain Access (/Applications/Utilities/Keychain Access). Select Certificates in the Category picker on the left side. In the search bar, type in the word Class. Look through that list, and find any certificates that have a blue + symbol over their icon. These are the ones you need to modify.
- Select one that has a blue +, and hit Command + I. Click the disclosure triangle beside the “Trust” list to show the list of permissions. Now, what we need to do is to set this certificate to use the system defaults. However, for some reason, when you select it, it doesn’t save. So what you need to do is this. Under “Trust”, where it says “Secure Sockets Layer (SSL)”, change the dropdown menu to say “No Value Specified”. Then, close the window. It will ask for your administrator permissions. Then, open the info pane for that certificate again. Under “Trust” again, now set the dropdown that says “When using this certificate:” to say “Use System Defaults”. You can then close out of the info pane, and enter your password again. Do this for any of the certificates that have a blue + on their icon. There should only be one or two at most.
- Restart your system.
This solution seemed to work just fine for me. All of my certificate problems have been fixed. It must be something with the OSX installer that causes this certificate issue. I’ll file a bug report. Hopefully someone looks into it and fixes the flaw in the OS. And, I hope that this fixed the flaw for you.
Addendum – a note on security:
This procedure won’t affect the security of your Mac. I’ve had some questions come in about that, and if anything, it makes it more secure because then sites that require SSL certificates can actually use them, unlike before where they might default to non secure connections because the certificate was bad.
well done it worked for me too and I posted it in the Apple Support Forums!
You SAVED my life, solving this issue after days searching a fix.
THANK YOU VERY VERY much
Pierre
Fantastic info. Solved the issue I was having. Thanks for taking the time and effort to work this out and sharing it with the rest of us!
Hey Pierre
Thanks you for your response. i haven’t managed to get a fix yet – even the Mac guys couldn’t do it and suggested re installing Lion which I declined to do as they said I would probably lose some of my applications. i did try the Keychain access route but didn’t change all the + commands – I will try that this evening and hopefully be back up and running.
Thanks again Ck
Hey Arthur – and thank you very much for this post – it enabled me to fix the issue Apple Support did not find a solution for.
..aape
Thank you so much – the key chain thing has worked for me and I’m now able to download Mountain Lion! Thanks again CK – cottagegate.
Thank you! This worked to get rid of the Verisign warnings in Safari and more importantly to let me log into the Mac App Store again! I had tried another way of changing the certificate settings, but had no success.
Awesome! Thanks so much!
Phew! Thank you!!! That worked.
Thank you, this fix helped when trawling the Apple support forums for hours didn’t!
You made my day ! Thank you so much man !!!
Thanks a lot for this advise! I’ve spent nearly a week with all sort of solutions and got no help from Apple Support. One thing: When I changed the permissions for the Certificates (I found 2 with a blue cross) they duplicated and kept the blue cross on both until I deleted the original. Anyway, this allowed me to log in and I’m no on Mountain Lion…:-)
Arthur, thank you very much! First thing that worked for me after weeks and weeks of fruitless trying around.
Thanks for the great info. This worked!!
I was searching desperately to fix the broken access to the mac app store …. Your hint works! Thanxalot!
Thanks you, thank you! Worked perfectly.
Thanks. Instructions very good. I couldn’t get into the App Store with the ‘connection failed’ message but on deleting files as you advised and setting the certificate drop downs as you instructed then restarting, all good. Have updated to Mountain Lion. Great, so thanks!
Thank you so much for your solution, great work. Michael from Germany
Thanks a bunch. I tried many things including Apple Support but this did the trick. EXCELLENT
Arthur Lockman, whoever you are, you are a legend….many thanks, i am forwarding this link to my local apple store in the hope that they will know what to do next time
I love you man!
Amazing!!! I join all the previous comments!! im in tears, it works to solve so many problems.
wow !!! thanks a lot
I installed Mountain Lion and could not connect to the Mac App Store after that – did this and now it connects. Thanks!
Great fix for may macbook using the Apple Macbook app store. Thank you so much !!!
Nice one
Thank you! Apple Support had not a clue. This trick solved a lot of Safari problems for me.
Thank you so much!!
Awesome. Thanks!
F’in BRILLIANT! Worked for me after hours of messing with key’s and certs…Thanks!!!
Is there a solution for the iPhone 3Gs?
Alas, it didn’t work for me. I don’t have any magic blue plus icons in keychain access. I’ve deleted the db files twice and that’s not helped either. I’m tempted to delete the pem files in that folder too
Thanks a lot, it was also locking some music sync on itunes for me…
WOW !!! Thank you so much…It WORKED !!!
Woo-hoo it worked… A little scary for me to mess with the system but after reading all notes…I decided to try it…THANKS!!!
I was excited to find this post, but then I came across a snafu. I don’t have any blue “+” icons listed in the keychain certs. I’ve been dealing with this problem for a while now, but mostly since mountain lion. Do you have any additional suggestions?
That’s odd. I haven’t encountered this problem on mountain lion. Is it just on certain websites, or is it on the app store too?
You are the best!! I spend a hole week try to fix that. Went to Apple store many time but didn’t work out!!!!. They even put my Macbook Air for overnight reinstall and GUI update but still get a same problem. Thank god you here.
I don’t have any blue + icons too, I’m using lion and cannot sign in to AppStore, but I don’t have any problems signing in elsewhere. What else can I try?
It seems to be happening on all kinds of websites that have Facebook links. Sometimes they can be ‘cancel’ed and ignored, but other times they prevent the sites from loading. It’s been going on now for months, sporadically.
Hmm. Are you behind a proxy or VPN? Sometimes that can cause the problem you’re seeing.
It hasn’t affected the app store or itunes yet. Only websites using a variety of browsers (I ditched FF for Safari and Safari almost seems worse).
After trying several “fixes,” I stumpled upon yours and voila it works. Thanks. Unless there is a fix in 10.8.2 that I’m downloading now Apple hasn’t attended to this bug-and it is almost October.
Thank you very much. It worked for me. Before coming upon your solution I had some very unhelpful advice from Apple support which was of no use at all. I am very grateful to you.
I had this issue, and this solution fixed it. However, a week later I am having the same issue. Is this something I am going to have to do every week?
It just seems to be affecting my iMessage.
It shouldn’t be something that you have to apply every week. Are you behind a firewall or VPN? Sometimes that can cause the issue.
After upgraded to 10.8.2. App Store did not connect to the internet. (nor iTunes match)
After hours on the phone with ApplaCare 2nd level tech I was advised to perform a clean install.
Only your solution worked like magic. Thanks a lot!
— Subscribe
I am stuck on the first step. When I go to folder menu and type in either file I want deleted, I get this box: The folder “ocspcache.db” can’t be opened because you don’t have permission to see its contents. So what do I do??
In that case, move on to the next step. The first one isn’t that crucial. If it turns out that it does need to happen on your machine, there’s another step I’ll write up for you to do it and get around the permission block.
I did not find any icons with the blue + sign on them. So no luck
No blue + sign for me 🙁
Are you behind a firewall, proxy, or VPN? Sometimes those can cause issues.
Further searching found a posting on another site implying that Akamai was aware of the problem, and that they would be broadcasting a fix to the many sites that were affected. Sure enough, a couple of hours later the invalid certificate drop-down problem went away. Sometimes I guess I tend to over-react and try to fix a problem that really isn’t mine after all, and find that waiting it out will cure it.
No, no proxy, no vpn. Sill no blue + sign
INCREDIBLE!! I’ve been searching for a solution to this mess for a couple years on and off. THANK YOU. Sorry for shouting.
I followed the instructions, but see no blue + signs.
My son’s computer has been having this problem for about 2 weeks now. Any ideas?
I’ve been all over looking for the solution to this problem and this fix and these instructions walked me through easily to a solution.
Perfect!
Brilliant!
Great instruction. Thanks so much for your effort and, more importantly, sharing.
Thanks so much, this has been bugging me for a long time!
Thank you Thank you Thank you!!! This was driving me crazy for days. I’ve tried all sorts of other suggestions, even reinstalling the OS, nothing worked, but this did it!
It worked! Thank you. Apple Support couldn’t fix this!
OMG three weeks and two installs until i found your answer!! It wroked
Does not work!
Thank you!!! Worked beautifully and I now have about 6 app updates in queue. Apple support kept redirecting my question to iTunes support. And then were going to charge me $59 to speak to someone about this. I sent them another email, with the link to this page and suggested that it’s too bad it takes a user to sort out their software problems.
I’m still with Freddy. No blue + signs anywhere in the Keychain access. I still get blocked from Facebook regularly, and now Tumblr sometimes too. Any site that has a Facebook ‘like’ button on it throws me an error message. It’s extremely disrupting. Any other ideas??
This worked for me on 10.8.2. Thanks!
Adding my voice to the chorus of thanks. This Verisign problem has been irritating me for months. Affected so many different web activities. Your fix worked immediately and is a godsend.
What a great Thanksgiving weekend gift! A fresh install of Mountain Lion doesn’t have the app store connection problem this was causing. Apple Tech support therefore said I needed to do a fresh Mountain Lion install and individually install each of my applications until I found the one that was causing the problem. 🙁 Your fix saved me countless hours of doing that! THANKS!
I am behind a authenticated proxy.. and I have no blue crosses.. what should I do? I can’t connect to app store although I can do anything when it comes to browsers and various other apps..
You are a genius!! Thanks so much for sorting out this problem God bless you.
Thank you very much! All the other tries were hocus!
THANK YOU THANK YOU THANK YOU! Seriously much appreciated, thanks for sharing!
Arthur, you are the man! Unfortunately Apple hasn’t read your blog. I also was advised to reinstall Mountain lion but I tried your solution first and the problems with connecting to Software Updates and the app store were resolved.
THANKS a million. Neither the guys at the genius bar nor the Apple help line were able to fix the problem… you did. You’re a star.
Worked for me to access Messages and the App Store just after upgrading from Leopard to Mountain Lion. Thank you!
Outstanding! I no longer have applecare and would not have been able to resolve problem without your help. Thanks much and Happy New Year all.
Thanks. After many frustrating hours wasted, finally fixed. I cannot believe Apple have let this problem linger for so long.
This worked on my iMac with OS 10.7. Thank you!
Thank you!! It worked for me, after a lot of hours trying fix this. Thanks again!!
I echo all above…thanks for the assist–this problem has been plaguing me for many moons. Like some of the others, I didnt have a blue + on any..but did a repair (under Keychain First Aid)…there were many issues with the crlcache.db keychain…once repaired, App Store started working fine.
Thank you so much! I spent a lot of time trying to find a fix. My hard drive died last week and the guys at the Apple store reloaded lion for me then I transferred everything over from my external HD. I knew it had something to do with that but…then I found your fix. Thanks again!
Thank you, Thank you, Thank you. This resolved an extremely frustrating experience I have been having 1. With iTunes store, 2. Not being able to connect to the App Store and 3. Having paypal.com and a couple other websites only load in non-graphic HTML form. I have spend HOURS AND HOURS trying to find a fix. I have reformatted and reinstalled, copied and fixed about all I could think of. Thank you again!!!!!!!!!!!!!!!!
Thank you! Internet is fantastic. I had this “big” problem, apple couldn’t help, I could find your solution and now it works again :-). Wonderful!
Stefan from the snowy Switzerland
Fantastic post, exactly what I was looking for! What a head wreck this was causing!
Thank you! I’m a podcaster and really need iTunes to work. You did it! I can’t say thanks enough!
didn’t work for me 🙁
I didn’t find blue +’s on any of the certificates. is that normal?
Thanks so much! You’re my hero of today.
No blue + for me either and having similar issues. Other SSL sites and app store also fail on this system but all http seem to work. Have other windows systems on same segment using same proxy and they can get to https sites like developer.apple.com whereas the lion can’t. Thinking about bringing device off of proxy’d network to rule out net altogether but that is not making sense at this point. Will follow-up and post if I go that route.
thank you
that worked, even for a computer idiot like me
Amazing. My problem was different but this worked (I couldn’t access the APP Store program from my Desktop – error 1202 – and the Store Display from within iTunes would not show graphics, just generic type with hyperlinks which wouldn’t work, leading to error messages connecting to the Store. Genius solution to a bewildering blur of problems.
You, my friend, are a genius! I was having the same problem as Miguel X (running Mountain Lion; App store and iTunes store issues) as well as being unable to file my taxes online with TurboTax!! I’ve been searching for months, even tried some date resetting trick, and this is the only solution that’s worked!!
Thanks again!
I owe you dinner!
Wow. This has been plaguing me for months. Thanks so much for the fix!
Great!!!! It helped me a lot!!!! Thank you so much
Thank you, thank you, thank you!
Beautiful Post
Thank you SO MUCH!!! Thank you thank you <3 <3 <3
What if I don’t have any blue Certificates? 🙁
i do not have any blue certificates?
Thank you, thank you, thank you!!!
modifying System Root certs in Keychain Access is faster when logged in as root
[…] 4. System neu starten. Quelle […]
This fix eliminated the error message, but now google will not load. When I deleted the two files in Keychain access, none of the certificates had blue + signs. What should I do now?
Thank you for this!! Saved my life, sanity, dogs, cats, computer, cars, etc
My wife can actually talk to me know without me being grumpy!!
Thank you! Thank you!
Went through all this, but to no avail. Solution – ‘something’ had changed the clock and the time was off (over a year! dunno why – looking into it #usererror) , thus rendering the certiticates bad. When we noticed, we changed back clock and all was good. Check your clock.
Arthur you’re a life saver! Seriously, I can’t thank you enough for this article. It solved the problem which I’ve been having for two weeks now.
Thanks. This did the trick for me. Very much appreciated.
I am not seeing any blue symbols – what do I do now?
It worked anyway – many thanks Arthur.
Thank you very much for making my mac usable after 2 months
Didn’t work for me. In step 2, there were no certificates with a blue plus icon over them, other than the ones Safari had added for google.com and apple.com.
Now what?
I get a message when I search for either folder that I says “The folder “crlcache.db” can’t be opened because you don’t have permission to see its contents.”
I have no blue certificates and i cant delete second file on first step, any solutions??? I am using a vpn but when i stopped it still didnt work for me!
Hi Arthur, your fixes didn’t work. I still can’t use google, access gmail or connect to the app store. Any ideas?
I have no certificates for a blue + sign to rest beside… Now what? I’ve exhausted everything I’ve read about this!
hej matey you made my day, worked perfectly B-)
So at first I didn’t have any blue x’s but I got red ones instead. Once I clicked on it, it opened a new page and there was a little bar at the top marked “Trust,” once I clicked that, it also expanded and at the very top there was a bar that said “Trust this certificate” and then I changed it from “System default” to “Always trust” and that’s what got the blue x’s for me.
Thank you so much for a solution that even the people at the apple store couldn’t provide! They kept my computer for five days and still weren’t able to fix it. This really worked and it took less than five minutes.
God bless you thank you so much! I was so upset i couldnt connect to anything when i needed to download my work, you’re a life saver!
Thank you for posting this fix! I found it through the Apple Support community.
I can not delete the two files because i do not have permission to view them. i noticed someone else had the same problem and you said you would send them a step to get around the permission, can you send that to me?
I have been trying to fix this for 5 months….THANK YOU It works!.
Works like a charm!
When I followed your steps I didn’t find any “blue plus” when I search for “Class” in Keychain Access. But I did find few “blue plus” without searching, I set them to “Use System Default”, restart my computer… bam! problem solved!
It’s work dude!! God bless you 🙂
Thank you so much, I haven’t been able to access the iTunes store for a LONG time and this solved my problem.
Alan. Thank you so much! I ran into this problem in Mavericks and it has been driving me crazy for a week. Apple support has apparently not figured this out yet, as they were useless. Very grateful!
I also can not delete the two files because I do not have permission to view them. I also noticed someone else had the same problem and you said you would send them a step to get around the permission, can you send that to me? Please please 🙁 Need help!
🙁 I am also unable to delete the two files, as it is saying I don’t have permission to view them. Is there anyway you can email me a way around this. Please, need help (and my computer back) I really appreciate it!
Thanks for this. Is there a solution for those who are still on 10.5.8? I can’t get to a newer OS yet because of my audio hardware issues ($$$$ to upgrade.) I don’t seem to see a blue+ symbol on any of my certificates in my Keychain… Chrome just gives me an Invalid Server Certificate error, with no pointer to the certificate in question. Does one need a CA (Thawte/Verisign/GeoTrust) to regenerate an SSL certificate?
Amazing. After driving myself crazy for months your solution worked in 5 minutes.
Why doesn’t Apple his this or have the same info on their Help pages. You would think they would with all the income lost from people not being able to access the Apple Store.
I’m really scratching my head over this one.
Thanks again !!!!
thank you so much!! after trying to find a fix for 3 days, and talking to the company it dept for hours, I finally got this fixed thanks to your blog.
Holy Crap it worked !!!!Thank you
I didn’t have any blue pluses either but managed to work it out by going to Keychain Access > Preferences > General > Reset my Default Keychain. It’s a bit of a nuclear option but it worked!
Thank you soooo very much. Spent all day on various sites to fix this problem without success!! I had no ‘blue+ symbol’ on any of my certificates, so it seems just simply deleting the two VAR files you mentioned did the trick! This should be made more widely accessible.
Thanks again.
Brilliant! This is the only thing that worked for me. I didn’t have any Certificate issues, but I did delete the first 2 folders you mentioned and restarted my computer and it worked. Thank you!!!
[…] This problem is documented here (I’m not the OP on these): https://discussions.apple.com/thread/2537287?start=0&tstart=0 and here: http://b.rthr.me/wp/?p=356 […]
it worked for me
Worked here too. Thank you
worked for me thanks. people not finding the blue icon reset computer and search again this worked for me.