MacOS Certificate Requirements

  • Updated on Apr 14, 2025
  • Published on Dec 5, 2024
  • 1 minute(s) read

MacOS Certificate Requirements

In Curator environments where users operate on Mac machines, additional certificate considerations are necessary to ensure successful server connections. This is due to differences in how macOS and Windows handle certificate validation.

Platform Differences in Certificate Validation

  • Windows:
    In many cases, Windows will automatically retrieve missing intermediate certificates from the server or from the Authority Information Access (AIA) field embedded in the certificate.

    ⚠️ However, this is not guaranteed in all cases. Some Windows applications or services may still require intermediate certificates to be explicitly provided or configured.

  • macOS:
    Requires the entire certificate chain (end-entity + intermediate certificates) to be present and valid at the time of validation. If any intermediate certificate is missing, the connection will fail — even if the root certificate is trusted.

Common Error: "Unable to Verify the First Certificate"

This error often occurs in Curator Connect or Curator for Adobe when macOS cannot validate the full certificate chain.

Typical error message:

"Unable to verify the first certificate"

image-LNT8GA80.png

Steps to Resolve

1. Ensure the Full Certificate Chain Is Provided by the Server

Make sure your server delivers the end-entity certificate along with all intermediate certificates in the correct order.

  • Check the Certificate Chain:
    Use tools like SSL Labs or openssl to confirm the server provides the full chain:

    openssl s_client -connect yourserver.com:443 -showcerts

    Look for gaps in the chain. If intermediate certificates are missing, add them to your server configuration.

  • Server Configuration:
    Combine certificates into a single bundle file (e.g., fullchain.pem for Apache or NGINX):

    cat your_certificate.pem intermediate_certificate.pem > fullchain.pem

    Reference this bundle in your server’s SSL configuration.

  • Verify:
    Restart your application and check if the issue is resolved.

2. Manually Import Certificates into macOS Keychain

If updating the server is not possible, you can manually import the necessary certificates into the macOS Keychain.

  • Add the Root Certificate:

    1. Open Keychain Access (Applications > Utilities).
    2. Drag the root certificate into either the System or Login keychain.
    3. Right-click the certificate → Get Info → Set Trust to “Always Trust”.

  • Add Intermediate Certificates:

    1. Drag missing intermediate certificates into the same keychain.
    2. Explicit trust settings usually aren’t required for intermediates.

  • Verify:
    Restart the application and check connectivity again.

By ensuring the complete certificate chain is correctly delivered by the server or configured on macOS, you can resolve these trust issues and establish secure connections in Curator environments.