In El Capitan, I am seeing some apps not connecting to servers due to outdated / expired SSL Certificates. This has been seen in Safari and when attempting to update select apps - Sublime Text and VSCodium in my experience.
This issue can be resolved by upgrading the System Roots certificates in Keychain Access.app, which will require access to a more recent Mac system (macOS Catalina 10.15.7 in my usage).
1. Terminal: Install the MacPorts script and bundle; `sudo port install apple-pki-bundle coreutils`
2. Terminal: Backup your existing System Keychain: `sudo cp /Library/Keychains/System.keychain /Library/Keychains/SystemElCap.keychain`
3. Terminal: Edit the pem install script to enable usage:`sudo vi /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh` (or pico, if preferred)
4. Terminal: At line 6, change: `if false; then` to `if true; then` and save.
_____
(Optional to install the pem keys included in this bundle)
5. Terminal: `sudo /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh /opt/local/share/apple-pki-bundle/apple-pki-bundle.pem`
_____
Go to your more recent Mac:
6. On your more recent system, open Keychain Access.app (/Applications/Utilities/)
7. Click System Roots in left pane
8. Click into Certificates pane and Select All (Cmd-A)
9. Right-click and Export X Items (or File > Export...)
10. Save as `catalina-rootkeys.pem` (or similar)
_____
Back on your El Capitan Mac:
11. Copy the saved pem key bundle to your El Capitan Mac. (copy into Home > Downloads or similar)
12. Terminal:`sudo /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh /Users/<username>/Downloads/catalina-rootkeys.pem` (replace `<username>` as needed)
13. Launch Keychain Access.app to verify installation OK.
You should now see no more expired dates in the System Roots certificates list. If there are expired certs, you'll need to repeat again from a more recent OS (Big Sur or later).
Example of an error caused by the expired System Root certificates (Sublime Text shown) on OS X El Capitan.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9814) error exceptions logged in Console.app
Keychain Access.app on a more recent OS (macOS Catalina 10.15.7 shown)
Welcome back El Capitan
This issue can be resolved by upgrading the System Roots certificates in Keychain Access.app, which will require access to a more recent Mac system (macOS Catalina 10.15.7 in my usage).
1. Terminal: Install the MacPorts script and bundle; `sudo port install apple-pki-bundle coreutils`
2. Terminal: Backup your existing System Keychain: `sudo cp /Library/Keychains/System.keychain /Library/Keychains/SystemElCap.keychain`
3. Terminal: Edit the pem install script to enable usage:`sudo vi /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh` (or pico, if preferred)
4. Terminal: At line 6, change: `if false; then` to `if true; then` and save.
_____
(Optional to install the pem keys included in this bundle)
5. Terminal: `sudo /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh /opt/local/share/apple-pki-bundle/apple-pki-bundle.pem`
_____
Go to your more recent Mac:
6. On your more recent system, open Keychain Access.app (/Applications/Utilities/)
7. Click System Roots in left pane
8. Click into Certificates pane and Select All (Cmd-A)
9. Right-click and Export X Items (or File > Export...)
10. Save as `catalina-rootkeys.pem` (or similar)
_____
Back on your El Capitan Mac:
11. Copy the saved pem key bundle to your El Capitan Mac. (copy into Home > Downloads or similar)
12. Terminal:`sudo /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh /Users/<username>/Downloads/catalina-rootkeys.pem` (replace `<username>` as needed)
13. Launch Keychain Access.app to verify installation OK.
You should now see no more expired dates in the System Roots certificates list. If there are expired certs, you'll need to repeat again from a more recent OS (Big Sur or later).
Example of an error caused by the expired System Root certificates (Sublime Text shown) on OS X El Capitan.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9814) error exceptions logged in Console.app
Keychain Access.app on a more recent OS (macOS Catalina 10.15.7 shown)
Welcome back El Capitan
Last edited: