[ab]

If this is anything like the issues we've seen at Stripe, the problem is probably an obsolete cross-signed root in your login keychain. It's caused by a certificate with CN="DigiCert High Assurance EV Root CA" but signed by some other authority rather than being self-signed. It's not clear to us how these are getting into people's login keychains, as they're not present on a fresh install.

Typically servers will present their certificate and intermediates but not the root, under the assumption that browsers must already have the root in their CA store. So for DigiCert that would probably be all the certs up to but not including "DigiCert High Assurance EV Root CA".

You can see the presented cert chain using `openssl s_client -showcerts ...` or the Certification Paths section of the Qualys SSL Labs Test: https://www.ssllabs.com/ssltest/analyze.html?d=github.com

Do you see an expired "DigiCert High Assurance EV Root CA" certificate in your login keychain? If so, delete it. If not, something weirder may be going on.

[nothingsTrivial]

It's the same scenario at GitHub. I've had a half-dozen or so GitHub users report cert chain issues on OS X over the last year and a half and it has always turned out to be a stray cert in the 'login' keychain. Still no definitive explanation for where the cert is coming from, but in at least one case the user had been prompted to import the cert by the code signing utilities.

My understanding from DigiCert is the cross-signing with Entrust had been done awhile back to improve mobile browser compatibility. Perhaps this is some strange combination of developer tools installed and the platform they are developing for...

[asymmetric]

Just a heads-up for those who can't find the expired certificate: in keychain access, you have to click on "View > Show Expired Certificates".

[acoleman616]

Thank you!

[nknighthb]

That is interesting, it's in my login keychain, as well, alongside "DigiCert Global CA" that expired on the 14th.

The most obvious answer would be that it's being installed by some widely-used piece of software, but I don't know what.

Pity the "Date Modified" column is empty, and I don't think there's really a log of what added things to the keychain.

[ab]

I'd love to hear theories for what might have installed it. If anyone still has that certificate, it would be helpful to export it and email it to support@stripe.com.

We've worked around the issue for now by not using EV certificates, which isn't a great solution.

[nknighthb]

I've sent both the recently expired DigiCert certs.

Could be just about anything. In my case, my keychain has followed me from one Mac to the next since before the cert that expired today was ever issued, so it could have ended up in there anytime in the last ~8 years from anything I might have had installed dating back to my PowerBook G4...

Virtualization software might be a candidate.

Actually, I just had another thought: Steam. And when I just tried to go to https://store.steampowered.com/, guess what certificate is in the trust chain?

[jcheng]

Two Macs here, both with Steam, both have the problem. Oh, they both have VirtualBox as well.

[zackangelo]

I had the expired certificate. I've never installed Steam, but I have installed VMWare Fusion.

[daveoflynn]

I used to have the cert (deleted a while ago), and I've never installed Steam.