Cannot access secured Web sites after OS X update
Inconsistent symptoms suggest several approaches people can try to get certificate-based Web communication working properly.
After updating OS X, some users have found they cannot access Web sites or other online content that is secured with a signed certificate. If you are experiencing this problem, when accessing such resources either through Safari or thorough applications like the Mac App Store, you may get an error stating that the Web site's identity cannot be verified, or that the certificate authority is an invalid issuer.
This problem is affecting a number of people who updated their systems from OS X 10.7.3 to the latest OS X 10.7.4 version. For some, it seems to be rooted in network configurations since the problems only happen when the system is behind a corporate proxy or firewall configuration, and not at home. However, this is not shared by all people with this issue, and others cannot seem to get any secured Web site to load regardless of the network configuration.
While the problem has not been fully addressed or even characterized since there is ambiguity as to how it manifests, some people have been able to fix the problem by performing some of the following options:
- Check time and date
Part of the security negotiation with certificates may use a time stamping and require the date and time to be in sync between your system and the server accepting the negotiation. Therefore, if your date and time settings on your system are off, then the negotiation may be denied. So check your date and time to ensure they are properly set, but do not just check it and manually set it based on a local clock. Instead, go to the Date & Time system preferences and ensure the time is set automatically.
You can ensure the time has updated by de-selecting this option and then altering the system time slightly, followed by checking the option to automatically set the date and time. By default, the system uses the time.apple.com timeserver for synchronizing the clock, but you can use alternatives including Apple's Euro and Asia servers (supplied in the drop-down menu) or by entering an alternative such as "time.nist.gov" (the U.S. government's time server), or go to this Web page to find a sponsored Time server.
- Clear firewall settings
While firewalls should prevent incoming port traffic, a misconfiguration of the system's firewall may prevent either time server negotiation or other communications with the sites you are attempting to load. Therefore, try disabling the firewall to test whether or not it is interfering with the connection. To do this, go to the "Security" system preferences and in the "Firewall" tab uncheck the option to enable the firewall. Even if the problem persists after disabling the firewall, you might still consider clearing your local firewall configuration and starting with a fresh one. To do this, go to the /Macintosh HD/Library/Preferences/ folder and remove the file called "com.apple.alf.plist," and then ensure the firewall is enabled in the system preferences.
- Rebuilt Network configurations
Some people have had problems with secured Web sites only when connected through corporate proxies and other secondary Internet configurations, which suggests the problem for them (and perhaps others) lies in their network setups. Therefore, you can try clearing and rebuilding your network configuration to tackle the problem. To do this, go to the "Network" system preferences and create a new network location in the "Location" menu. Then add the appropriate ports you use (Ethernet, Wi-Fi, VPN) to this location, and configure them according to your preferences.
If creating a new location does not work, then you can clear the entire network configuration and have the system rebuild it by going to the /Macintosh HD/Library/Preferences/SystemConfiguration/ folder and removing the following files:
When these files are removed, reboot the system and set up your network configuration again in the System Preferences.
- Clear certificate management database caches
Part of the certificate management system in OS X are the OCSP and CRL background services, which create caches of their activity that if corrupted could cause odd problems with certificate management in OS X. To clear these caches, open the Terminal utility (in the /Applications/Utilities/ folder) and run the following command, followed by rebooting the computer (supply your password when prompted):
sudo rm /var/db/crls/*cache.db
- Turn off OCSP and CRL services
Another approach to this issue is to turn off the OCSP and CRL services in OS X, which can be done in the Keychain Access utility preferences. Go to the /Applications/Utilities/ folder and open the Keychain Access utility, followed by going to its preferences. Then go to the "Certificates" tab and set both the OCSP and CRL listings to "Off." You can also attempt other configuration combinations here, including using teh "Best Attempt" and "Require if certificate indicates" options.
If adjustments to these settings do not show any difference in behavior, then change them back to their defaults of "Best Attempt."
- Ensure root certificates use default trust settings
The last option is to check for and ensure all of the root certificates on the system are set to be at their default trust settings. You can do this by opening the Keychain Access utility and selecting the "System Roots" keychain. Then ensure you either select "All Items" or "Certificates" in the categories section, and then browse through your root certificate entries. In here if you see any with a small blue plus symbol in the certificate icon, then it indicates the certificate is configured with custom trust settings.
If you find any certificates with this indication, double-click it to open its information page, and expand the "trust" section of the certificate. Then ensure the top-most menu in this section is set to "Use System Defaults," followed by the reset of the menus being set to "no value specified." After making these adjustments, close the information window and supply your admin username and password when prompted. If done correctly, then the blue plus symbol will disappear from the certificate icon in the keychain.
Repeat this procedure for all certificates with the blue plus. Unfortunately Apple does not provide a way to batch-edit certificates, so you will have to do this one-by-one for each certificate (of which there are about 180-200, though not all should have this problem).