An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#40926 - 06/17/16 08:34 AM Keychain Access, Expired Certification
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
I just noticed that I have about 50 expired certificates on both of my machines, some going back to 2010.

Is it safe to delete these & should I?

In part, I am curious because some are present in Login, and thus I wonder if they are slowing my login or startup. confused
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#40927 - 06/17/16 08:50 AM Re: Keychain Access, Expired Certification [Re: Pendragon]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
As I recall (potentially incorrectly, so be advised), you can dump all your certificates and, when required, they will be updated by the issuing authority. Expired certificates just seem to take up space in that they don't do anything.

Top
#40933 - 06/18/16 02:22 AM Re: Keychain Access, Expired Certification [Re: grelber]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Okeedokee & thanks!

I'll delete the expired certificates and post back in a week or so advising of consequences. With a bit of luck and your wise counsel, this should be a non-event.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#40935 - 06/18/16 03:25 AM Re: Keychain Access, Expired Certification [Re: Pendragon]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Harv,

You do have a backup, don't you? If unsure of the consequences, always have a safety net. In fact, you should have a safety net anyway, considering the law of unintended consequences (discovered by Murphy, of course).
_________________________
Jon

OS 10.14.2, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#40940 - 06/19/16 02:30 AM Re: Keychain Access, Expired Certification [Re: jchuzi]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Counting both internal & external drives, Jon, I have 10 SuperDuper clones. And critical data are encrypted and then sent to Dropbox. Still, should I discover a "gotcha" a year from now, all my backups (re deleted certificates) will be of little value. While that is an unlikely scenario, Mr. Murphy is known to visit moi.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#40945 - 06/20/16 02:17 AM Re: Keychain Access, Expired Certification [Re: Pendragon]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
I finally got around to deleting a few expired certificates, but curses! I can't find the keyboard or menu command(s) to do such.

Clearly, I'm missing/overlooking something, but what? confused
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#40946 - 06/20/16 02:29 AM Re: Keychain Access, Expired Certification [Re: Pendragon]
artie505 Online


Registered: 08/04/09
The best I could do was click on "Hide Expired Certificates" under Keychain Access > View.

Deletion doesn't seem to be an option, Harv. confused
_________________________
The new Great Equalizer is the SEND button.

Top
#40947 - 06/20/16 03:37 AM Re: Keychain Access, Expired Certification [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Maybe it's because I'm using Lion, but in Keychain Access, once a certificate is selected in Viewer, it can be deleted via Edit (Delete) or merely by hitting the Delete key.

Top
#40948 - 06/20/16 05:19 AM Re: Keychain Access, Expired Certification [Re: grelber]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Originally Posted By: grelber
Maybe it's because I'm using Lion, but in Keychain Access, once a certificate is selected in Viewer, it can be deleted via Edit (Delete) or merely by hitting the Delete key.


I tried that as well as various key combinations, e.g., Option & Command, etc. No joy.

As Jon noted, I can hide those rascals, but would prefer to resolve the issue versus live with a work around. And since this has no operational aspect, more akin to an academic/learning challenge, I may settle for a gentleman's C (at least for now).
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#40949 - 06/20/16 06:49 AM Re: Keychain Access, Expired Certification [Re: Pendragon]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
In El Capitan Control+Click (Right Click) on a certificate in Keychain Access triggers a context menu with five options
  1. New identity preference….
  2. Copy
  3. Delete
  4. Export
  5. Get info
  6. Evaluate
If multiple certificates have been selected the context menu items are reduced to
  1. Copy n items
  2. Delete n items
  3. Export n items
  4. Get Info

In either case the delete key does nothing.


Edited by joemikeb (06/20/16 06:49 AM)
_________________________
joemikeb • moderator

Top
#40951 - 06/20/16 07:34 AM Re: Keychain Access, Expired Certification [Re: joemikeb]
artie505 Online


Registered: 08/04/09
I'm seeing this this when I control-click in El Cap.

Am I missing something, or are we on different wavelengths?
_________________________
The new Great Equalizer is the SEND button.

Top
#40952 - 06/20/16 07:36 AM Re: Keychain Access, Expired Certification [Re: joemikeb]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: joemikeb
In El Capitan Control+Click (Right Click) on a certificate in Keychain Access triggers a context menu with five options

In Mountain Lion either a left or right Control+Click will generate similar options:

1. Copy to Clipboard
2. Copy
3. Delete
4. Go there
5. Get Info

Multiple selection:

1. Copy n Items
2. Delete n Items
3. Get Info
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#40953 - 06/20/16 07:38 AM Re: Keychain Access, Expired Certification [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
I'm seeing this this when I control-click in El Cap.

Right Control-Click?
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#40955 - 06/20/16 08:19 AM Re: Keychain Access, Expired Certification [Re: ryck]
artie505 Online


Registered: 08/04/09
Originally Posted By: ryck
Originally Posted By: artie505
I'm seeing this this when I control-click in El Cap.

Right Control-Click?

Left/right clicks are mouse things; the only option on a keyboard is control-click...the equivalent of a right-click.
_________________________
The new Great Equalizer is the SEND button.

Top
#40957 - 06/20/16 12:35 PM Re: Keychain Access, Expired Certification [Re: joemikeb]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Joe, I got the Control+Click routine to work just as you said. Imagine that. cool My red-faced thanks!

And, are you too of the opinion that even if one were delete a valid certificate, 'tis no matter as it would be recreated as necessary?
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#40958 - 06/20/16 01:44 PM Re: Keychain Access, Expired Certification [Re: Pendragon]
artie505 Online


Registered: 08/04/09
OK, then, can anybody figure out from my screen shot what my problem is?

Thanks.
_________________________
The new Great Equalizer is the SEND button.

Top
#40961 - 06/20/16 03:25 PM Re: Keychain Access, Expired Certification [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
OK, then, can anybody figure out from my screen shot what my problem is?

You are looking at System Root > All items. So you are looking at a certificate that does not belong to you, rather it belongs to the user System therefore you do not have the authority to delete or change them and the option down not appear in the context menu.

In the left hand pane of the Keychain Access window you see two certificate icons. If you select My Certificates you will see the only the certificates owned by your user account and the context menu will have the items I listed. If you select Certificates you will only see certificates owned by the system and their context menu is as shown in your screen shot.
_________________________
joemikeb • moderator

Top
#40962 - 06/20/16 03:30 PM Re: Keychain Access, Expired Certification [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
Left/right clicks are mouse things; the only option on a keyboard is control-click...the equivalent of a right-click.

Ah…never dawned on me that someone wouldn't use a mouse. So what's "click" on a keyboard?
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#40963 - 06/20/16 03:34 PM Re: Keychain Access, Expired Certification [Re: ryck]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: ryck
Ah…never dawned on me that someone wouldn't use a mouse. So what's "click" on a keyboard?

Dunno what it is on a keyboard but on a trackpad it is a tap.
_________________________
joemikeb • moderator

Top
#40967 - 06/20/16 10:27 PM Re: Keychain Access, Expired Certification [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Got it! Thanks for clarifying that confusing "one from column A and one from column B" GUI.

Back to the chase, though, I wonder why OS X doesn't automatically clear expired certificates, and why System Roots expired certificates can only be hidden...not deleted?
_________________________
The new Great Equalizer is the SEND button.

Top
#40968 - 06/20/16 10:34 PM Re: Keychain Access, Expired Certification [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Originally Posted By: ryck
Ah…never dawned on me that someone wouldn't use a mouse. So what's "click" on a keyboard?

Dunno what it is on a keyboard but on a trackpad it is a tap.

Actually, "Tap to click" is a[n exasperating] option; by default, a trackpad "click" remains a click.

(My apologies to my Force Touch trackpad for misrepresenting it as a keyboard.)
_________________________
The new Great Equalizer is the SEND button.

Top
#40976 - 06/21/16 01:54 PM Re: Keychain Access, Expired Certification [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
I wonder why OS X doesn't automatically clear expired certificates, and why System Roots expired certificates can only be hidden...not deleted?

Reasonable question.

I did a little research and it appears expired certificates can be reprovisioned. It would then follow that it might be necessary to reinstall the app if the certificate were deleted.

In El Capitan and previous versions of iOS there is provision for overriding expired or unrecognized certificates. I know that on Sierra (MacOS 12) those provisions still exist, but have been made less convenient. On iOS devices an app will NOT run without a current recognized certificate unless the device is jailbroken — at which point Apple disavows any and all responsibility. It would not surprise me if MacOS 13 followed the iOS model certainly that appears to be Apple's trajectory.
_________________________
joemikeb • moderator

Top
#40982 - 06/21/16 11:27 PM Re: Keychain Access, Expired Certification [Re: joemikeb]
artie505 Online


Registered: 08/04/09
I tried to make some sense out of my expired certificates, and I don't think any of them have been updated nor do any identify the app/process that placed them.

I can say, though, that I've never run into an overt expired certificate situation.

Thanks for the info.
_________________________
The new Great Equalizer is the SEND button.

Top
#40986 - 06/22/16 06:17 AM Re: Keychain Access, Expired Certification [Re: Pendragon]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
I opened up my keychain and I find a handful of expired certificates in my userspace. If I dig in, I find under Trust settings, they are set to "Use system defaults". In that case, the system won't trust an expired certificate. I am allowed to edit this setting to "always trust" or "never trust". You can also click on the question mark to the right to pull up a much more detailed description of the behavior of the trust settings. "Always Trust" should override certificate expiration.
_________________________
I work for the Department of Redundancy Department

Top

Moderator:  alternaut, dkmarsh, joemikeb