6

We recently renewed our Nginx webserver's Thawte SSL certificate. Previously we'd been using SHA1 as the signing algorithm, but this time used SHA256 which leads to a new root certificate known as "thawte Primary Root CA - G3" (this can be found on their website - not enough rep to post the link).

Since rolling out we started getting calls from customers using OS X about getting the error "This certificate was signed by an unknown authority" when browsing to https page.

Thawte's certificate checker is perfectly happy with our installed certificate chain: https://ssltools.thawte.com/checker/views/certCheck.jsp (we have our certificate, plus "thawte Extended Validation SHA256 SSL CA" intermediate in the pem file)

After testing, we found errors occurs under Safari, Opera and Chrome on OS X os all versions. Firefox was OK under OS X (I believe it ships with it's own certificate trust store). All browsers seem OK under Windows.

When we checked the OS X Access Keychain, we found the thawte Primary Root CA - G3 WAS installed, but somehow the browser wasn't managing to complete the chain.

Here's a test site (not ours) using the same intermediate and root which exhibits exactly the same symptoms under OS X:

https://ssltest8.bbtest.net/

Can anyone explain why OS X is not recognising the root CA for this site as being trusted when it is installed in the Access Keychain of OS X 10.9 by default?

David QC
  • 83
  • 2
  • 4
  • I have seen this issue in the wild too, with OSX and a Thawte issued cert. For me it appears to be resolved, possibly by an OSX update in the past few days – carpii Jan 23 '15 at 12:38
  • Same this for DigiCert Intermediate Certificate. I am seeing error on Apple MAC while using this certificate –  Mar 10 '15 at 19:58
  • I have similiar problem with the G2 (not G3) certificate from within OSX and Debian/Ubuntu console. The information on Thawte website not up to date either.. – Daniel W. Jan 11 '16 at 10:23

2 Answers2

2

Just spoke w/ Thawte support via chat and they have confirmed it's a problem and an open case w/ Apple (since July 31, 2014) on the issue. No response / ETA on a fix as of yet.

DaveM
  • 36
  • 1
  • 1
    Thawte just emailed me with the same info that the root cert in question is not valid for EV certificates. Looks like using a SHA256 cert + the Thawte SHA1 root is the interim solution until Apple fix it. Thanks. – David QC Sep 25 '14 at 08:36
  • FYI, GlobalSign's SHA256 chain [link](https://2029.globalsign.com/) seems to be fine on MacOS. – DaveM Sep 25 '14 at 14:23
0

On September, 17th 2014, the Primary Root CA - G3 (intermediate with a SHA-256 signature) was still not accepted by latest Mac operating systems.

Thawte submitted an Apple Bug Number 17095623 in order to have them fix this issue.

user270671
  • 1