AddTrust Root CA Expiry and macOS

Update 2020-06-11: prior to May 30th I observed another symptom of this cert expiry that I didn’t comment on originally in this post. A client I recently worked with, who uses Aruba Clearpass to manage BYOD device onboarding to their managed WiFi SSID, were seeing this message across their user base.

The conclusion was the user context profiles installed manually by the user via the user driven onboarding process (which included the AddTrust root CA) were causing macOS to warn them around 30 days out and periodically after. Device level profiles including the same CA installed via Jamf Pro using SCEP did not alert the user. The CA was actually not in the current/relevant trust cain, but because it was managed via the profile, it alerted the user.

Update 2020-06-10: MacMule wrote an interesting post on the effects of this expiry on popular MacAdmins tool AutoPkg:

There have also been reports of on premise Jamf Pro environments having fallout by way of failed binary installs. When enrolling via either Automated Device Enrolment (DEP) or User-Initiated Enrolment the InstallApplication phase would likely deliver the initial package/commands to download the binary but the subsequent curl of binary components and binary enrolment will fail. This is most obviously identified by the MDM Profile and PPPC profile being installed but no other profiles and nothing under /usr/local/jamf (missing). The binary (& Self Service) were not present, causing the machine to fail enrolment and be present in the Jamf Pro web admin but marked as “unmanaged”.

Update 2020-06-03: there is a great write up with more technical detail at

This wonderful piece of info took off in Twitter and MacAdmins Slack today:

TLDR; The AddTrust root CA expired May 30 2020 and now OpenSSL libraries used in tools like `curl` are struggling to recognise intermediate certs that are cross-signed to get around expiring root issues

Your Mac will trust the cert in Safari, but curl (used to download things in scripts) may not for example.

Why this is a problem for macOS:

It appears that macOS transition to LibreSSL as early as macOS 10.13 for some components but the bits left effect this bug today. `nscurl` is Apple’s variant and the basis of other tools in macOS does not seem to be affected.

Bottom line: check your scripts…. it appears I may have some work to do.