If a Refresh did not restore the certificates, then they presumably are not among the built-in root certificates that ship with Firefox.

What kind of certificates are they: personal certificate, server certificate, signing certificate (authority certificate)?

Does this affect a particular website? If so, you could provide the URL.

Thank you jscher2000

It was affecting several web sites that I visit on a regular basis. I used an SSL checker and the sites were correctly configured.

I then discovered that Thawte Server CA was crossed out in the Keychain Access app, so I deleted and reinstalled with the data-file I downloaded from Thawte’s site as part of the root package.

Then restarted and things appear to be working okay now.

Can someone please confirm the standard Thawte certs settings. I notice it has changed from what I had before and now I only see three for Thawte listed under Authorities: Primary Root CA; CA G2; CA G3, with the following serial numbers

34:4E:D5:57:20:D5:ED:EC:49:F4:2F:CE:37:DB:2B:6D 35:FC:26:5C:D9:84:4F:C9:3D:26:3D:57:9B:AE:D7:56 60:01:97:B7:46:A7:EA:B4:B4:9A:D6:4B:2F:F7:90:FB

Is this okay? Do I need to install anything else to fix this for sure?

Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future us. Stored intermediate certificates show as "Software Security Device" in the "Security Device" column in the Certificate Manager. If a server doesn't send a full certificate chain then you won't get an untrusted error when Firefox has stored missing intermediate certificates from visiting a server in the past that has send it, but you do get an untrusted error if this intermediate certificate isn't stored yet.

On Windows, Firefox does not use the system's certificate store, but instead maintains its own store (cert8.db). You may have something different on Mac, and hopefully someone can advise on what you should be seeing there.

thawte DV SSL CA - G2 and thawte EV SSL CA - G3 are intermediate certificates and show for me in the Certificate Manager as "Software Security Device". You normally do not need to worry about such intermediate certificates because Firefox will instal them automatically. It is only a problem if you visit a website that doesn't send a complete certificate chain.

There is this extension to integrate the Mac Keychain service in Firefox.

• Keychain Services Integration: https://addons.mozilla.org/firefox/addon/keychain-services-integration/

Thank you for all the responses. I think I need to see how things go over the next few days before I can be sure this issue is solved.

For anyone else reading this in future, I'm using Mac OS 10.8.5 and Firefox 37.0.2 ... I deleted then imported the Thawte Server CA in the Keychain Access app with the data-file obtained from https://www.verisign.com/support/thawte-roots.zip and then restarted the Mac OS.

Do you connect to the problem sites directly, or is the connection proxied, for example, by security software doing filtering of web connections?

I have Kaspersky Internet Security v15.0.0.226a.b installed.

I haven't seen any problems since updating the Keychain certificate.

Do you use the SSL Scan feature? You should be able to determine that by clicking the padlock on the address bar in Firefox, then clicking More Information and View Certificate: was it "Issued by" Kaspersky?

If so, that could explain the issue, because Kaspersky probably is validating against the OS certificate store in that scenario.

Yes, Kaspersky is checking SSL. Sometimes it says verified by Kaspersky, sometimes not. However I think the issue was the untrusted cert in Keychain, made worse by me trying to fix it within Firefox.