I have a strange problem that I don't understand. I think it was working before and I do suspect an update to macos that I loaded on my macbook air just before, but I thought I would ask the question here to see if anyone has any insight.
I am developing a PWA application which runs behind a companies firewall. As a result there is no chance of getting a public ssl certificate as I can't expose the site to the public. As a result I have gone for a self signing process, were I have set up a trusted certificate authority who then signs the ssl certificate for the application. The downside is that it requires the key of my self signed authority to be loaded into the trusted store of the browser.
It is all working great in Windows and on the iPad and I had thought I had it working on a MAC until this morning, when I came to make a video about how to install it. Just before the video, my mac announced it wanted to upgrade its OS, so I let it. I went to keychain access and deleted the certificate authority. I then installed the new certificate file in the key chain and ran up my browsers. Safari would not work at all, Chrome showed the insecure marker. When I clicked on it, I got this dropdown
As you can see, it says certificate invalid, but if you click on it you get this dialog pop up.
That says it is fully trusted.
So I have not idea whats gone wrong. Is it a bug in the mac keychain after the last release or am I doing something else wrong?
EDIT: I suspect this has something to do with Certificate-Transparency Logs although I have been unable to find much information, other Apple have changed their policy on it. Public certificates have to be submitted to a certificate transparency log and for a long period certificate needs several entries in different logs. Yet I can find little information about whether self signed certificates need this.
I did eventually also make Safari work, by using the developer tools and putting a break point in the service worker. It was throwing an error in a background fetch it was using to refresh the offline cache (because of the certificate error), but there were so many errors (my application has 100s of small files to download) that I had not waited long enough for it to complete that process. When I did it gave a message asking me if I wanted to trust the site. When I confirmed I did it updated the keychain and has then worked ever since.