Getting Around a Revoked Certificate in OSX

Let me start this off by saying this is not an ideal trick and one I hope no one else needs to use because it's a bad idea to work around a browser feature that's aimed to protect your security.

That said, I am in the process of testing a product and ran into a weird situation where our team had to revoke the SSL certificate we had assigned to our server. We're going to replace it but I have testing to do in the meantime and need access to our staging server, so waiting is kind of a blocker because, well, this message gets me nowhere.

Safari's warning for a site with a revoked certificate.

This message is different from the warnings browsers provide for sites without SSL. Those give you a built-in workaround by simply dismissing the warning. The difference is that a revoked certificate implies that the certificate's private key has been lost or compromised, making the site's security vulnerable to malware, phising, etc. No bueno!

I reached out to Zach Tirrell and he helped me get around this issue with some tinkering that, given the right situation, might be helpful for others.

One last note before we dive in is that I'm working on a Mac. I'm not sure what the equivalent steps would be for other systems, so your mileage may vary.

Step 1: View the Certificate

Click the "Show Details" link in Safari to reveal an additional option to view the certificate.

Safari displays an option in the error message to view the certificate that is revoked. Click on that to open a dialogue that provides information on that certificate.

Step 2: Save the Certificate to the Desktop

Drag the certificate to the desktop to save it locally.

There's a bit of hidden UI in the dialogue that allows you to save the certificate. Click the certificate icon and literally drag it to the desktop.

Step 3: Add the Certificate to Keychain Access

Drag the certificate into the Keychain Access Certificates screen.

OSX's Keychain Access is typically known for storing a user's passwords, but it also manages secure notes and SSL certificates, among other protected system assets. You can open Keychain Access in your Applications, or search for it in Spotlight (CMD + Space).

Navigate to the Certificates panel and drag the certificate into it. The certificate is now installed and recognizable to Keychain Access.

Step 4: Trust the Certificate

Tell Keychain Access to "Always Trust" the certificate.

Double-click on the certificate to manage the system preferences for handling it. Expand the Trust panel ans set the preference to Always Trust the certificate.

Keychain Access will likely ask you to confirm this change by entering your system password.

Revisit the Site

Now that the system has been instructed to trust the certificate, go ahead and re-visit the site. It should now load as if the certificate had not been revoked in the first place, though you may need to restart the browser to see the effect.

Both Safari and Chrome read permissions from Keychain Access, so those browsers should be well covered by these steps. Firefox has its own layer way of managing these permissions, which can be accessed on the browser's Preferences > Privacy Settings screen.

Wrapping Up

I'll state it again, but I really hope no one ever needs to use this trick. Browsers bake this security in for good reason and working around it is not only frowned upon, but downright risky. The type of scenario for needing to do this has got to be pretty darn rare and, for those, I sure hope this helps.