An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Keychain Access, Expired Certification
#40926 06/17/16 03:34 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
I just noticed that I have about 50 expired certificates on both of my machines, some going back to 2010.

Is it safe to delete these & should I?

In part, I am curious because some are present in Login, and thus I wonder if they are slowing my login or startup. confused


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
Pendragon #40927 06/17/16 03:50 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
As I recall (potentially incorrectly, so be advised), you can dump all your certificates and, when required, they will be updated by the issuing authority. Expired certificates just seem to take up space in that they don't do anything.

Re: Keychain Access, Expired Certification
grelber #40933 06/18/16 09:22 AM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Okeedokee & thanks!

I'll delete the expired certificates and post back in a week or so advising of consequences. With a bit of luck and your wise counsel, this should be a non-event.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
Pendragon #40935 06/18/16 10:25 AM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7
Harv,

You do have a backup, don't you? If unsure of the consequences, always have a safety net. In fact, you should have a safety net anyway, considering the law of unintended consequences (discovered by Murphy, of course).


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Keychain Access, Expired Certification
jchuzi #40940 06/19/16 09:30 AM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Counting both internal & external drives, Jon, I have 10 SuperDuper clones. And critical data are encrypted and then sent to Dropbox. Still, should I discover a "gotcha" a year from now, all my backups (re deleted certificates) will be of little value. While that is an unlikely scenario, Mr. Murphy is known to visit moi.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
Pendragon #40945 06/20/16 09:17 AM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
I finally got around to deleting a few expired certificates, but curses! I can't find the keyboard or menu command(s) to do such.

Clearly, I'm missing/overlooking something, but what? confused


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
Pendragon #40946 06/20/16 09:29 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
The best I could do was click on "Hide Expired Certificates" under Keychain Access > View.

Deletion doesn't seem to be an option, Harv. confused


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
artie505 #40947 06/20/16 10:37 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Maybe it's because I'm using Lion, but in Keychain Access, once a certificate is selected in Viewer, it can be deleted via Edit (Delete) or merely by hitting the Delete key.

Re: Keychain Access, Expired Certification
grelber #40948 06/20/16 12:19 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Originally Posted By: grelber
Maybe it's because I'm using Lion, but in Keychain Access, once a certificate is selected in Viewer, it can be deleted via Edit (Delete) or merely by hitting the Delete key.


I tried that as well as various key combinations, e.g., Option & Command, etc. No joy.

As Jon noted, I can hide those rascals, but would prefer to resolve the issue versus live with a work around. And since this has no operational aspect, more akin to an academic/learning challenge, I may settle for a gentleman's C (at least for now).


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
Pendragon #40949 06/20/16 01:49 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
In El Capitan Control+Click (Right Click) on a certificate in Keychain Access triggers a context menu with five options
  1. New identity preference….
  2. Copy
  3. Delete
  4. Export
  5. Get info
  6. Evaluate
If multiple certificates have been selected the context menu items are reduced to
  1. Copy n items
  2. Delete n items
  3. Export n items
  4. Get Info

In either case the delete key does nothing.

Last edited by joemikeb; 06/20/16 01:49 PM.

If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Keychain Access, Expired Certification
joemikeb #40951 06/20/16 02:34 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I'm seeing this this when I control-click in El Cap.

Am I missing something, or are we on different wavelengths?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
joemikeb #40952 06/20/16 02:36 PM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Originally Posted By: joemikeb
In El Capitan Control+Click (Right Click) on a certificate in Keychain Access triggers a context menu with five options

In Mountain Lion either a left or right Control+Click will generate similar options:

1. Copy to Clipboard
2. Copy
3. Delete
4. Go there
5. Get Info

Multiple selection:

1. Copy n Items
2. Delete n Items
3. Get Info


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Keychain Access, Expired Certification
artie505 #40953 06/20/16 02:38 PM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Originally Posted By: artie505
I'm seeing this this when I control-click in El Cap.

Right Control-Click?


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Keychain Access, Expired Certification
ryck #40955 06/20/16 03:19 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: ryck
Originally Posted By: artie505
I'm seeing this this when I control-click in El Cap.

Right Control-Click?

Left/right clicks are mouse things; the only option on a keyboard is control-click...the equivalent of a right-click.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
joemikeb #40957 06/20/16 07:35 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Joe, I got the Control+Click routine to work just as you said. Imagine that. cool My red-faced thanks!

And, are you too of the opinion that even if one were delete a valid certificate, 'tis no matter as it would be recreated as necessary?


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
Pendragon #40958 06/20/16 08:44 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
OK, then, can anybody figure out from my screen shot what my problem is?

Thanks.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
artie505 #40961 06/20/16 10:25 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: artie505
OK, then, can anybody figure out from my screen shot what my problem is?

You are looking at System Root > All items. So you are looking at a certificate that does not belong to you, rather it belongs to the user System therefore you do not have the authority to delete or change them and the option down not appear in the context menu.

In the left hand pane of the Keychain Access window you see two certificate icons. If you select My Certificates you will see the only the certificates owned by your user account and the context menu will have the items I listed. If you select Certificates you will only see certificates owned by the system and their context menu is as shown in your screen shot.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Keychain Access, Expired Certification
artie505 #40962 06/20/16 10:30 PM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Originally Posted By: artie505
Left/right clicks are mouse things; the only option on a keyboard is control-click...the equivalent of a right-click.

Ah…never dawned on me that someone wouldn't use a mouse. So what's "click" on a keyboard?


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Keychain Access, Expired Certification
ryck #40963 06/20/16 10:34 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: ryck
Ah…never dawned on me that someone wouldn't use a mouse. So what's "click" on a keyboard?

Dunno what it is on a keyboard but on a trackpad it is a tap.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Keychain Access, Expired Certification
joemikeb #40967 06/21/16 05:27 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Got it! Thanks for clarifying that confusing "one from column A and one from column B" GUI.

Back to the chase, though, I wonder why OS X doesn't automatically clear expired certificates, and why System Roots expired certificates can only be hidden...not deleted?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
joemikeb #40968 06/21/16 05:34 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: joemikeb
Originally Posted By: ryck
Ah…never dawned on me that someone wouldn't use a mouse. So what's "click" on a keyboard?

Dunno what it is on a keyboard but on a trackpad it is a tap.

Actually, "Tap to click" is a[n exasperating] option; by default, a trackpad "click" remains a click.

(My apologies to my Force Touch trackpad for misrepresenting it as a keyboard.)


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
artie505 #40976 06/21/16 08:54 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: artie505
I wonder why OS X doesn't automatically clear expired certificates, and why System Roots expired certificates can only be hidden...not deleted?

Reasonable question.

I did a little research and it appears expired certificates can be reprovisioned. It would then follow that it might be necessary to reinstall the app if the certificate were deleted.

In El Capitan and previous versions of iOS there is provision for overriding expired or unrecognized certificates. I know that on Sierra (MacOS 12) those provisions still exist, but have been made less convenient. On iOS devices an app will NOT run without a current recognized certificate unless the device is jailbroken — at which point Apple disavows any and all responsibility. It would not surprise me if MacOS 13 followed the iOS model certainly that appears to be Apple's trajectory.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Keychain Access, Expired Certification
joemikeb #40982 06/22/16 06:27 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I tried to make some sense out of my expired certificates, and I don't think any of them have been updated nor do any identify the app/process that placed them.

I can say, though, that I've never run into an overt expired certificate situation.

Thanks for the info.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Keychain Access, Expired Certification
Pendragon #40986 06/22/16 01:17 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
I opened up my keychain and I find a handful of expired certificates in my userspace. If I dig in, I find under Trust settings, they are set to "Use system defaults". In that case, the system won't trust an expired certificate. I am allowed to edit this setting to "always trust" or "never trust". You can also click on the question mark to the right to pull up a much more detailed description of the behavior of the trust settings. "Always Trust" should override certificate expiration.


I work for the Department of Redundancy Department

Moderated by  alternaut, dkmarsh, joemikeb 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.045s Queries: 62 (0.036s) Memory: 0.6962 MB (Peak: 0.8521 MB) Data Comp: Zlib Server Time: 2024-03-28 16:22:02 UTC
Valid HTML 5 and Valid CSS