Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Here's how things are looking here....

View attachment 2008143
View attachment 2008144

View attachment 2008145
FYI it didn't ask for any login credentials to add the certificate to Keychain Access, only to change the trust settings from "Use System Defaults".

I suspect an email to Apple's PKI team to at least ask for a statement on whether the intermediate certificate will be renewed or not would not be unreasonable, given iCloud is listed as supporting back to Yosemite.
Maybe if a lot of users harass them at contact_pki@apple.com
 
The signing Root CA "GeoTrust Global CA" in "System Roots" expired on May 21, 2022.

So set both the original "Apple IST CA 2 - G1" and "GeoTrust Global CA" to "always trust"

This works for me in High Sierra (I did a logout & login; not sure if necessary).

Also, in my case, no need to import the second "apple IST CA 2 - g1".

Worth a try.

f#*king bingo! well done :)

Everything's back to working again *instantly* with just the geotrust and Apple certs set to always trust.

A toast to you! ?
 
Just to be sure, High Sierra?

***I only have Geotrust Primary Certification Authority (3 of them) on my Mojave machine?

Different MacOS versions may use different sets of certs. If you can't quickly find them, perhaps let it be.

Once Apple fixes the issue on server side, they'll publish a new set of certs for High Sierra. Then you can import them into HS.

As long as Apple doesn't fix their servers, the method in #47 should continue to work.

f#*king bingo! well done :)

Everything's back to working again *instantly* with just the geotrust and Apple certs set to always trust.

A toast to you! ?

Glad it works for you :)
 
  • Like
Reactions: Patrice Brousseau
Different MacOS versions may use different sets of certs. If you can't quickly find them, perhaps let it be.

Once Apple fixes the issue on server side, they'll publish a new set of certs for High Sierra. Then you can import them into HS.

As long as Apple doesn't fix their servers, the method in #47 should continue to work.



Glad it works for you :)
Thanks @kvic !
 
  • Like
Reactions: kvic
Can confirm that doing the always trust on Both expired certs worked IMMEDIATELY (maybe a bit of delay on iCloud Drive but relatively immediate). Tested Notes and Contacts...... apps updated with no delay.
Have High Sierra 10.13.6 on a MBP Mid 2010. iCloud.com also worked without ANY issues!
NO RESTART REQUIRED.

Now.....how long before apple sabotages this?
 
Can confirm that doing the always trust on Both expired certs worked IMMEDIATELY (maybe a bit of delay on iCloud Drive but relatively immediate). Tested Notes and Contacts...... apps updated with no delay.
Have High Sierra 10.13.6 on a MBP Mid 2010. iCloud.com also worked without ANY issues!
NO RESTART REQUIRED.

Now.....how long before apple sabotages this?
I hope they won't notice... :)
 
  • Like
Reactions: goudinuf
Yes, appears to be isolated to iCloud Drive sync. I reinstalled the Baltimore Cybertrust cert and set it to Always Trust and that didn't fix anything.
 
The signing Root CA "GeoTrust Global CA" in "System Roots" expired on May 21, 2022.

So set both the original "Apple IST CA 2 - G1" and "GeoTrust Global CA" to "always trust"

This works for me in High Sierra (I did a logout & login; not sure if necessary).

Also, in my case, no need to import the second "apple IST CA 2 - g1".

Worth a try.

THAT DID IT! iCloud Drive and Notes are working again!

Praise you @kvic. And screw you Apple! The 2011 MacBook Pro 13" lives on!
 
  • Like
Reactions: SQU
Can confirm that doing the always trust on Both expired certs worked IMMEDIATELY (maybe a bit of delay on iCloud Drive but relatively immediate). Tested Notes and Contacts...... apps updated with no delay.
Have High Sierra 10.13.6 on a MBP Mid 2010. iCloud.com also worked without ANY issues!
NO RESTART REQUIRED.

Now.....how long before apple sabotages this?

What was the second expired cert?

I only had 1:
Apple IST CA 2 - G1
CN: GeoTrust Global CA
Expired: Friday, May 20, 2022 at 10:42:02 Central Daylight Time

On a lark, I have now also set always trust on the only other Apple expired cert in login keychain:
Apple Application Integration Certification Authority
CN: Apple Application Integration Certification Authority
Expired: Wednesday, July 26, 2017 at 14:16:09 Central Daylight Time
 
The signing Root CA "GeoTrust Global CA" in "System Roots" expired on May 21, 2022.

So set both the original "Apple IST CA 2 - G1" and "GeoTrust Global CA" to "always trust"

This works for me in High Sierra (I did a logout & login; not sure if necessary).

Also, in my case, no need to import the second "apple IST CA 2 - g1".

Worth a try.

Ok got it and finally working again. Was a little unclear because certs are in two different places.

1. There is "Apple IST CA 2 - G1" in the login keychain that expired May 20, 2022.
2. And a second expired "GeoTrust Global CA" in "System Roots" that expired also on May 20, 2022.

Both need to be set to always allow. I don't think the Baltimore Cybertrust or the other Apple Application Integration CA helped. I deleted the former and returned the latter to expired.

My lesson is to not trust iCloud Drive Sync and to accelerate my plans for 10.14 upgrade.
 
Last edited:
Ok got it and finally working again. Was a little unclear because certs are in two different places.

1. There is "Apple IST CA 2 - G1" in the login keychain that expired May 20, 2022.
2. And a second expired "GeoTrust Global CA" in "System Roots" that expired also on May 20, 2022.

Both need to be set to always allow. I don't think the Baltimore Cybertrust or the other Apple Application Integration CA helped. I deleted the former and returned the latter to expired.

My lesson is to not trust iCloud Drive Sync and to accelerate my plans for 10.14 upgrade.

Interesting, so you got it working without even having the certificate referenced yesterday?

EDIT: Confirmed! I removed the "CA 2 - G1" certificate that expires in 2025. It seems as long as the originally-discussed cert from Apple's site that expired a few days ago is set to always trust, and the "GeoTrust" one is also set to always trust, Notes and Drive sync just fine.
 
Last edited:
Ok got it and finally working again. Was a little unclear because certs are in two different places.

1. There is "Apple IST CA 2 - G1" in the login keychain that expired May 20, 2022.
2. And a second expired "GeoTrust Global CA" in "System Roots" that expired also on May 20, 2022.

Both need to be set to always allow. I don't think the Baltimore Cybertrust or the other Apple Application Integration CA helped. I deleted the former and returned the latter to expired.

My lesson is to not trust iCloud Drive Sync and to accelerate my plans for 10.14 upgrade.
I’ve left it anyway but it looks it’s not needed. The Apple Support forum user realized that his GeoTrust Global CA was set already to « always trust ». So, it wasn’t the new certificate that fixed it for him…
 
Now, someone mentioned in the Apple Support forums that it fixed his iCloud sync for Mojave?? First time I hear about Mojave and this bug… My 10.14 machines aren’t affected unless I’m mistaken!

The GeoTrust Global CA couldn’t even be found on 10.14…
 
Now, someone mentioned in the Apple Support forums that it fixed his iCloud sync for Mojave?? First time I hear about Mojave and this bug… My 10.14 machines aren’t affected unless I’m mistaken!

The GeoTrust Global CA couldn’t even be found on 10.14…

There better not be issues! My Mojave machine is still working just fine as of five seconds ago.
 
Yes, I installed the new cert and reverted the expired 2 and everything still working. No class action yet.
 
Is it an email you'd mind quoting here - I'd be curious to see what their thoughts / tenor are with regards to it.
« Thank you for contacting Apple PKI team. The expired CA has already been renewed and can be found here Apple IST CA 2 - G1. If your issue is still not resolved or you need further guidance, please visit iCloud Support https://support.apple.com/icloud.

Apple PKI »

Quite generic but at least, I had an answer in short time.

BTW, does the certificate goes in System or Login? I’ve put it in both…
 
First and foremost, thank you to everyone who contributed to finding a solution, especially those who bugged apple support to fix their **** and issue a new certificate. I literally had a panic attack today from iCloud worries. I really thought my time was up, but you guys held it down, and I cannot be more grateful to you.

For anyone still struggling with this, I just wanted to share my experience ~briefly~ in case it may be helpful to someone. My issues started some time last week when iCloud drive stopped syncing, and was stuck uploading x amount of files. Today I resolved to sign out of icloud and sign back in to try to resolve the issue, sure enough, that didn't work, and I feared that my computer would not sync with iCloud again.

I followed the answer in this article but it didn't fix the issue. I nearly gave up, played some online chess to get my mind off things, and then pulled my pants up and decided to give this one last go. I pulled up to macrumors.com since that's where I found the solution to the iCloud issue so many of us experienced in March/April, and found this thread. I downloaded the initial certificate issued by Baltimore Cybertrust, but couldn't find the GeoTrust one in my keychain. I'm running High Sierra 10.13.6 btw. I saw in the later replies, that Apple had issued a new certificate, so I deleted the Cybertrust one, and then tried to add the Apple one. For whatever reason it wouldn't let me add it, so I think I had to re-add the Cybertrust one, set it to trust always, then add the Apple one. However, even after all of this, sync was still not working. I also removed the Cybertrust one after the Apple cert installed successfully.

I decided to get a hold of Apple support since that's what the shared Apple email reply said, but the agent was pretty clueless about what was going on. During the chat, I realized I was able to sign into icloud.com on Safari again, but still no sync in Finder. I gott desperate, signed out of and back into iCloud in Preferences, still nothing. Finally decided to run "killall bird" one last time, still nothing. I go back to the chat, and the agent tells me I'm gonna have to restart my computer. I then go back to my desktop, and BOOM, FILES ARE BACK and iCloud drive has a loading sign next to it... Hallelujah, **********ers!

So yeah, long story short, if after adding the new Apple-issued certificate, sync is still not going, try running the "killall bird" command in Terminal, wait 2-3 minutes, and that could do the trick. Thank you all again for your help!!!
 
  • Like
Reactions: mattspace
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.