cert in /etc/ssl/cert.pem expired today (MacOS Mojave)

Question

The cert that is stored in /etc/ssl/cert.pem expired today on my Mojave computer, which has caused problems with my curl commands. Is there anyway to update it? I see that my Catalina computer has a newer certificate. Can I just copy it over to my Mojave computer?

Answer 1

Yesterday, the Let's Encrypt DST Root CA X3 root certificate expired, which is causing similar problems as you experienced: curl displays a SSL certificate problem: certificate has expired error when trying to access websites using the new Let's Encrypt ISRG Root X1 certificate.

On macOS Mojave (and maybe others, but this is what I use), the default curl uses certificates in /etc/ssl/cert.pem when verifying TLS connections (you can confirm this by by running curl -v https://example.com 2>&1 | grep CAfile).

---

The simplest fix is to delete the expired root certificate from the /etc/ssl/cert.pem file, assuming its replacement already exists in the file. This is enough to fix the expired DST Root CA X3, because its replacement, ISRG Root X1 already exists in the /etc/ssl/cert.pem file. Delete all lines from ### Digital Signature Trust Co. to -----END CERTIFICATE-----.

---

If you need to completely replace /etc/ssl/cert.pem with updated certificates, you can replace it with certificates exported from the macOS System Roots keychain:

1. Make a backup of the old /etc/ssl/cert.pem:

sudo cp /etc/ssl/cert.pem{,-orig}

2. Export system keychain and replace contents of /etc/ssl/cert.pem:

security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain | sudo tee /etc/ssl/cert.pem >/dev/null

Alternatively, you can tell curl to use a different certificate file like this:

curl -I --cacert /path/to/certificates.pem https://example.com/

Or configure the location of this file using the CURL_CA_BUNDLE=/path/to/certificates.pem environment variable.

Answer 2

For Mojave in 2022/02, here is a simple solution:

1. Backup the current version of /etc/ssl/cert.pem in your macOS.
2. Download the new CA certificate( officially recommended by curl.se), renaming it to cert.pem.
3. Replace the original one with the new one: sudo mv cert.pem /etc/ssl/cert.pem.