Paul Henman sysadmin Remove compromised Certificate Authority in OS X

Remove compromised Certificate Authority in OS X

You may have heard that a Dutch Certificate Authority (CA) called DigiNotar has allegedly been hacked “which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including”. Apparently over 500 fraudulent certificates were issued targetting “the web sites of not just Google, but popular destinations such as Twitter, WordPress, Yahoo and Facebook as well as the sites of secret services”.

Basically what this means to end users is that you cannot be sure that your secure (https) connection to Google is really secure – your browser relies on these Certificates to authenticate the end system, but if the Certificate is compromised you cannot (should not!) rely on it.

Microsoft pushed out an update on Tuesday which “revokes the trust of […] DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store”. There hasn’t, as yet, been a similar update from Apple, so below I’ve listed the steps to Do It Yourself:

  1. open the Keychain Access program
  2. go to System Roots in the left Keychains panel
  3. scroll down until you see “DigiNotar Root CA” in the main panel
  4. right click on the “DigiNotar Root CA” row and select Get Info
  5. open the Trust section and change “When using this certificate” to “Never Trust”
  6. close the Info window and enter your password to allow it to Modify Keychain
  7. you should now see at the top of the screen a message saying “This certificate is marked as not trusted for all users”
  8. quit Keychain Access

This should take effect immediately but I logged out and restarted OS X, just to be absolutely sure.

2 thoughts on “Remove compromised Certificate Authority in OS X”

Comments are closed.

Related Post

Call me paranoidCall me paranoid

After listening to Martin Bailey‘s latest podcast (#293) and recent discussions with a couple of people, I thought I’d document my backup strategy/workflow. (I think I’ve done this before but