Installing updated root certificates in older versions of MacOS and iOS

Recent (as of April 2022) changes to the Trove Australia web site have highlighted some changes that affect computers running older operating systems.

One of the changes is a new security certificate for the web site, issued by Let's Encrypt (LE), now uses LE's own root certificate as the ultimate source of authority for the certificate. This breaks web browsers on a lot of Mac computers running MacOs 10.11 or earlier (see for the gory details), or on iOS devices running iOS 11 or earler.

Trove's web site is by no means the only site affected by this change; Let's Encrypt has become a major provider of web site certificates over the last half-decade, so many sites may no longer be accepted as properly authenticated by your older web browsers.

Fortunately, it is possible to update the list of root certificates on your older Mac or iOS device, as outlined below.

Updating root certificates in an older version of MacOS

Description of test systems

I tested these processes on two older Macs:

Step 1: Downloading the updated root certificate for Let's Encrypt

Open your web browser, and go to http://x1.i.lencr.org

Step 2: Updating the system-level certificates for Safari and Chrome

Safari and Chrome both make use of the system-level root certificates to verify web site certificates. This makes it easy to update the root certificates for all users on your Mac in one go.

To add the new root certificate you downloaded above to the system-level certificate store:

  1. Open you default downloads folder.
  2. Open the Keychain Access app (in the "Utilities" folder inside you "Applications" folder).
  3. Drag the file ISRG Root X1.der onto the "System" folder in the Keychain Access app.
    screenshot showing an open downloads folder containing ISRG Root X1.der, and the Keychain Access app, with annotations indicating how to drag the file into the System keychain.
  4. You will be asked to enter an administrator's username and password for your mac. Do so, and click on the "OK" button.
    screen shot showing dialog box asking you to enter an administrator's credentials.
  5. The Keychain Access app will install the certificate, but also inform you that "This root certificate is not trusted".
    screen shot of Keychain Access app, with red boxes highlighting the installed certificate, and the fact that it is not trusted.
  6. Double-click on the certificate. A dialog box will open for the certificate. Locate the expandable menu item "Trust", and click on the triangle to the left of the word.
    screen shot of dialog box for certificate. The expandable menu item _Trust_ is highlighted
  7. When the "Trust" menu expands, you'll see that the first item, "When using this certificate:" is set to "Use System Defaults". Change this to "Use custom Settings". then for the second item, "Secure Sockets Layer (SSL)" set this to "Always Trust", and close the dialog box.
    Screen shot of dialog box, showing value of _When using this certifcate:_ changed to _Always Trust_.
  8. You will once again be asked to enter an administrator's username and password. Do so.

Results on test computers

MacOs 10.6.8

After installing the new root certificate on my MacOS 10.6.8 machine, Chrome was happy to accept the root certificate. Safari wasn't, but to be perfectly frank, Safari in MacOS 10.6 never worked well in any case, which is why I had both Firefox and Chrome installed on the computer, with Firefox being my default browser of choice.

MacOs 10.11.6

After installing the new root certificate on my MacOS 10.11.6 machine, both Safari and Chrome were happy to accept the root certificate.

Updating user-level certificates for Firefox

Firefox doesn't use the system certificate store; it uses its own. Versions of Firefox prior to version 50 do not have the required root certificate in their certificate store.

Unfortunately when you're using an older version of Firefox, you can't install the new certificate for all users on the Mac in one step; each user will need to install the new root certificate individually.

To update an individual user's Firefox certificate store:

  1. Open Firefox.
  2. Select "Preferences..." from the "Firefox" menu.
  3. When the "Preferences" tab open, select "Advanced" from the menu at left, then "Certificates" from the menu bar at top, and then click on the "View Certificates" button.
    screen shot of firefox preferences panel
  4. When the list of certificates appears, make sure that "Authorities" is selected from the menu at top, and then click on the "Import..."button.
    screen shot of Firefox certificate authouiries dialog box.
  5. Firefox will ask you to select a certificate to import. Select ISRG Root X1.der and then click on the "Open" button.
    screen shot of file section dialog box.
  6. Firefox will ask you what the purpose of the new certificate is. Select the option "Trust this CA to identify web sites" and click on the "OK" button.
    screen shot of Firefox asking you to nominiate use of certificate.
  7. Firefox will show you that the certificate has been installed.
    screen shot of Firefox showing certificate has been installed.

Results on test computers

MacOS 10.6.8

After installing the new root certificate in Firefox on my MacOS 10.6.8 machine, Firefox was happy to accept the root certificate.

MacOS 10.11.6

The version of Firefox (Firefox 78.15.0 ESR) installed on my 10.11.6 machine already had a copy of the required root certificate installed, so I did not need to install the certificate myself.

Updating root certificates in an older version of iOS

To add the new root certificate for Let's Encrypt to your older iOS device:

  1. Open Safari
  2. Navigate to https://letsencrypt.org/certs/isrgrootx1.pem
  3. Safari will tell you that it cannot verify the server's identity. Tap on the "Continue" option.
    screen shot of Safari informing user that the identity of the server cannont be identified, and offering 3 options: Cancel, Details and Continue
  4. You will be taken to the iOS Settings App, and presented with the "Install Profile" option. The profile on offer is named ISRG Root X1. Tap on "Install".
    Screen shot of _Install Profile_ option in iOS settings, asking if you want to install ISRG Root X1
  5. You will be asked to enter the passcode for your iOS device. Do so.
    screen shot of iOS _Enter Passcode_ dialog box
  6. You will be warned that The authenticity of "ISRG Root X1" cannot be verified. Tap on "Install".
    screen shot of warning that the authenticity of ISRG Root X1 cannot be verified
  7. You will be asked to verify that you want to install the profile. Tap on "Install".
    screen shot of box asking you to verify that you want to install the profile.
  8. You will be informed that the profile has been installed. You should now be able to view all sites signed with a modern Let's Encrypt certificate without Safari objecting all of the time.
    screen shot of window verifying that the profile has been installed