OS X Not Trusting Thawte Primary Root CA - G3
Just spoke w/ Thawte support via chat and they have confirmed it's a problem and an open case w/ Apple (since July 31, 2014) on the issue. No response / ETA on a fix as of yet.
Related videos on Youtube
David QC
Updated on September 18, 2022Comments
-
David QC over 1 year
We recently renewed our Nginx webserver's Thawte SSL certificate. Previously we'd been using SHA1 as the signing algorithm, but this time used SHA256 which leads to a new root certificate known as "thawte Primary Root CA - G3" (this can be found on their website - not enough rep to post the link).
Since rolling out we started getting calls from customers using OS X about getting the error "This certificate was signed by an unknown authority" when browsing to https page.
Thawte's certificate checker is perfectly happy with our installed certificate chain: https://ssltools.thawte.com/checker/views/certCheck.jsp (we have our certificate, plus "thawte Extended Validation SHA256 SSL CA" intermediate in the pem file)
After testing, we found errors occurs under Safari, Opera and Chrome on OS X os all versions. Firefox was OK under OS X (I believe it ships with it's own certificate trust store). All browsers seem OK under Windows.
When we checked the OS X Access Keychain, we found the thawte Primary Root CA - G3 WAS installed, but somehow the browser wasn't managing to complete the chain.
Here's a test site (not ours) using the same intermediate and root which exhibits exactly the same symptoms under OS X:
Can anyone explain why OS X is not recognising the root CA for this site as being trusted when it is installed in the Access Keychain of OS X 10.9 by default?
-
carpii over 9 yearsI have seen this issue in the wild too, with OSX and a Thawte issued cert. For me it appears to be resolved, possibly by an OSX update in the past few days
-
Admin about 9 yearsSame this for DigiCert Intermediate Certificate. I am seeing error on Apple MAC while using this certificate
-
Nishanth over 8 yearsI have similiar problem with the G2 (not G3) certificate from within OSX and Debian/Ubuntu console. The information on Thawte website not up to date either..
-
-
David QC over 9 yearsThawte just emailed me with the same info that the root cert in question is not valid for EV certificates. Looks like using a SHA256 cert + the Thawte SHA1 root is the interim solution until Apple fix it. Thanks.
-
DaveM over 9 yearsFYI, GlobalSign's SHA256 chain link seems to be fine on MacOS.