El Capitan and older Mac OS X are about to have a security certificate problem

If you’re still running El Capitan, or any version of Mac OS X prior to 10.12.1, then you’re about to run into problems with some popular security certificates.

The reason, explained in full detail by Scott Helme, is that a widely used root security certificate, that for IdenTrust DST Root CA X3, will expire in just over a week, on 30 September. This is relied on by Let’s Encrypt security certificates. Although later versions of Mac OS X and macOS have had replacement root certificates installed, those aren’t in older versions of Mac OS X, nor in iOS prior to version 10.

It may be possible to make changes within the root certificates to work around this: details are given in that article.

Although this specific problem shouldn’t affect any Mac which has been updated to a version of Mac OS X or macOS later than 10.12.2, all later versions of macOS are prone to a related problem…


This certificate expiry doesn’t only affect older versions of macOS. Versions from 10.12 (Sierra) to 12 beta (Monterey), and all recent versions of iOS and iPadOS may refuse to load an affected site, claiming that their intermediate and root certificates are out of date, despite the updated root certificate being present. Full details are in this article, which explains what you can do to address that. This not only affects Safari, but also third-party apps which use parts of WebKit to connect to websites.

Whether you’re running a server which relies on Let’s Encrypt certificates, or trying to connect your browser to one, the most helpful and information page on the subject is this one from Certify The Web.

Thanks to @mikeymikey for drawing attention to this, and to Peter for the link.
Updated 0845 UTC 2 October 2021 with link.