How to Fix the Expired Intermediate SSL Certificate Error

SSL certificates work quietly in the background and protect sensitive data from cyber thieves. An entire certificate’s lifecycle can pass without a single issue. But sometimes, users experience annoying SSL errors that need an immediate fix.

Most SSL issues are server-side related and originate from a faulty configuration or improper installation. For instance, a missing intermediate certificate can cause website outages. However, in rare cases, a root and intermediate cert can expire and make your website inaccessible over HTTPS.

Legacy Intermediate Certificate Has Expired

The untrusted certificate error is related to locally installed legacy intermediate certificates that are kept on your system for compatibility purposes. One such example is the “DigiCert High Assurance EV Root CA” intermediate cert that expired in 2014, long after it had become unnecessary during SSL installations. This problem can affect systems with the locally cached or installed intermediate certificate. Below we present quick fixes for Windows, Mac, Apache, and Nginx clients:

Fix the expired intermediate certificate on Windows

Since expired legacy intermediates are no longer required, deleting them will solve the issue. Before you delete the culprit, back up your existing configuration if something goes wrong.

1. Open the Microsoft Management Console (MMC) by clicking the Windows icon on the taskbar and searching for “MMC.”
2. To remove the certificate, you need to add the certificate “snap-in” to MMC. The snap-in is an internal tool within MMC that manages different elements, including the SSL certificates.
3. On the left column, find Certificates, click on it to select it, then click Add to move it to the right column. Finally, click OK to continue.
4. In the Certificates snap-in window, select Computer Account.
5. Next, in the Select Computer window, choose Local Computer: (the computer this console is running on).
6. Click Finish, and then click OK to close the snap-in manager screen.
7. In the left-hand column of MMC, you should see a list of certificates on your local computer.
8. For this guide, you’d expand the Third-Party Root Certification Authority and find the “DigiCert High Assurance EV Root CA.”
9. Right-click on it, select Proprieties, then in the General Tab, in the Certificate Purposes, select Disable all purposes for this certificate, then click Apply.
10. Restart your PC, and that’s it!

Fix the expired intermediate certificate on Mac

The errors on Mac OS X are due to a locally installed intermediate certificate in the login keychain. OS X users can fix the issue by deleting the certificate from their Login Keystore using Keychain Access:

1. Log into your computer with an administrative account.
2. Go to the Applications and open the Utilities folder.
3. Double-click on the Keychain Access icon to open the certificate application.
4. In Keychain Access,  navigate to View > Show Expired Certificates and search for your expired cert.
5. Delete this certificate and close Keychain Access.

Fix the expired intermediate certificate on Apache and Nginx

Apache

Edit the SSLCertificateChainFile /path/to/DigiCertCA.crt directive to include only one certificate.

Nginx

Edit the ssl_certificate /etc/ssl/your_domain_name.pem to include only the server certificate and its issuing intermediate certificate.

Final thoughts

Expired intermediates are rare occurrences, and you can do nothing about them. The only solution is to delete the certificates from your system. As security practices progress, the need for legacy certificates diminishes, with fewer people using old devices and systems.

Broken laptop vector created by upklyak – www.freepik.com