I work with the Certificate Provider DigiCert and confirm that the expired intermediate is a deprecated certificate no longer used in installs. Some sites still have it installed on their server or users might have it installed on their local machine.
If you are on Chrome, follow @huntaub's suggestion and remove the expired certificate from keychain and restart.
We've been notifying customers of the expiration and have Technical Support in the office 24 hours to help the sites who need help updating the certificate.
We're also reaching out to the sites we see having issues online.
I just got hit with this issue. There doesn't seem to be any information on DigiCert's site or Github's.
edit: For some reason, deleting the expired DigiCert certificate from Keychain (and restarting Chrome) allowed it to find a valid chain to the Github certificate. I would recommend doing this if you want to get to Github without turning off SSL.
edit2: (Or they just fixed it and I restarted Chrome.) Can anyone confirm that it works now (without deleting the Intermediate Cert)?
If this is anything like the issues we've seen at Stripe, the problem is probably an obsolete cross-signed root in your login keychain. It's caused by a certificate with CN="DigiCert High Assurance EV Root CA" but signed by some other authority rather than being self-signed. It's not clear to us how these are getting into people's login keychains, as they're not present on a fresh install.
Typically servers will present their certificate and intermediates but not the root, under the assumption that browsers must already have the root in their CA store. So for DigiCert that would probably be all the certs up to but not including "DigiCert High Assurance EV Root CA".
Do you see an expired "DigiCert High Assurance EV Root CA" certificate in your login keychain? If so, delete it. If not, something weirder may be going on.
It's the same scenario at GitHub. I've had a half-dozen or so GitHub users report cert chain issues on OS X over the last year and a half and it has always turned out to be a stray cert in the 'login' keychain. Still no definitive explanation for where the cert is coming from, but in at least one case the user had been prompted to import the cert by the code signing utilities.
My understanding from DigiCert is the cross-signing with Entrust had been done awhile back to improve mobile browser compatibility. Perhaps this is some strange combination of developer tools installed and the platform they are developing for...
I'd love to hear theories for what might have installed it. If anyone still has that certificate, it would be helpful to export it and email it to support@stripe.com.
We've worked around the issue for now by not using EV certificates, which isn't a great solution.
I've sent both the recently expired DigiCert certs.
Could be just about anything. In my case, my keychain has followed me from one Mac to the next since before the cert that expired today was ever issued, so it could have ended up in there anytime in the last ~8 years from anything I might have had installed dating back to my PowerBook G4...
Virtualization software might be a candidate.
Actually, I just had another thought: Steam. And when I just tried to go to https://store.steampowered.com/, guess what certificate is in the trust chain?
A side-project I'm working on will alert you when SSL certificates are about to expire, preventing these things from happening. It'll also show you a overview of all the expiration dates of your certificates and domains, updated automatically.
It's not live yet, but if you're interested you can sign up for the launch mail here:
Such a thing would have been very helpful to me. My domain's SSL cert expired and I got a new one but didn't notice that my provider had shipped a different, newer intermediate certificate.
For three weeks I was showing a great big THIS CONNECTION IS UNTRUSTED screen to Firefox users and didn't know it.
It surprises me how common it is, which made me build Domainsquire to fix it. As today's event shows it even happens to the big boys, and this is a predictable, pre-emptively solvable downtime event, so it really shouldn't happen.
Looks like digicert itself screwed up - getting an invalid certificate error on digicert.com. Their twitter feed says they are in contact with GitHub, DigitalOcean, Namecheap, Stripe, Pingdom, and so on. This was a big error, and even they made the mistake on their own root domain.
I'm having this issue as well. I deleted all digicert certificates from my keychain just in case. Still couldn't get to Github. I can get to the DigiCert Root Certificates download page, but it gives me an invalid certificate warning. It looks like the same issue as Github.
I really, really don't feel comfortable downloading a ROOT CERTIFICATE with an SSL warning on the page. Who knows what could be compromised in this case?
I'm going to try a couple other things first; I'd like to hear from a security expert, should we find this scary or just a small hiccup?
I had an outstanding OSX update, installed that and rebooted. One of the two fixed it for me. Note: I DID NOT have to install the the root certificates, and if anyone else gets an SSL warning from DigiCert's root cert download site, I strongly recommend against downloading anything from there.
The idea is that the service will monitor things like domains and ssl expiry dates and then alert you in an increasingly obnoxious manner as the expiration date gets closer.
My MVP has just needs a few more finishing touches and then I'll send it live. In the meantime, you can signup on the waiting list.
It was noticed, but tested across a number of platforms did not show errors except for Android < v3.
The issue is with a weird Mac OS X chain issue that causes a chain to be downloaded to the login keystore in Keychain. Mac forces it to be used when validating the certificate chain. Most users have removed the cert and everything is working as it should.
Tracking down how and why that happens on Mac OS X is tough. Reaching Apple engineers has not been extremely successful. Not Apple's fault. Usually SSL Root Chain groups are distributed with organizations so it's not always clear who to go to.
If you are on Chrome, follow @huntaub's suggestion and remove the expired certificate from keychain and restart.
We've been notifying customers of the expiration and have Technical Support in the office 24 hours to help the sites who need help updating the certificate.
We're also reaching out to the sites we see having issues online.