Keychain has untrusted certificate

Hello,

I'm a week & a half into my new MBP (love it), and in the process of setting up Keychain to manage my passwords.

I downloaded an update (I *think* it was from apple - sorry, getting old and have CRS disease) that's making me uncomfortable, because when I look in System Keychains, there are a total of six listed in two categories:
com.apple.kerberos.kdc
com.apple.systemdefault

2 are public, 2 are private, and 2 are "certificate".

The "certificates" are marked with a red X and noted "This root certificate is not trusted".

Can someone tell me whether I should be worried, and if not, why not?

I guess nobody knows the answer to that question, so how about this one:

I can enter my password and unlock the System keychain - would it hurt anything to delete the two untrusted certificates?

They are "self-signed root certificates" that expire 3/26/28.

I have them too. I don't really understand what certificates are, so my rule is if I don't know what something is I just leave it alone.

Too many people just go and delete things they don't know what they are and then things go wrong and they can't log into their computer.

I have no reason to believe that these files aren't from apple. Especially if you just got your computer, I doubt apple would send it to you with something bad on it out of the box.

Well, I was kind of assuming that they arrived with the add-in I installed (it had something to do with making Keychain easier to use), but if you've got them too, then that rules that out.

I do find it slightly disturbing that Apple will ship something with untrusted certificates - so far, nearly everything with my Mac experience has been great, and again, I just don't quite get why Apple wouldn't fix this - it seems like it should be easy to do.

Anyway, thanks for the response.

Sorry, did you download this with the Software Update thing?

DreamingFox said:

Well, I was kind of assuming that they arrived with the add-in I installed (it had something to do with making Keychain easier to use), but if you've got them too, then that rules that out.

I do find it slightly disturbing that Apple will ship something with untrusted certificates - so far, nearly everything with my Mac experience has been great, and again, I just don't quite get why Apple wouldn't fix this - it seems like it should be easy to do.

Anyway, thanks for the response.

Click to expand...

Those are both "self-signed root certificates", which AFAIK basically means that using those certificate you can create your own certificates that you (or your system) can sign.

Either that, or they're just needed by the system for internal signing of things...

Again, I'm not really sure on this, but I have them as well, so I think you're good just leaving them.