To disable the DigiNotar Root CA in Mac OSX for Safari do the following.
Disabling a Certificate in Keychain Access
- Open up your Keychain Access Application located in Applications/Utilities folder.
- Select "All Items" in the Catagories Tab.
- Unlock the KeyChain and enter into the search box "digin".
- Select the DigiNotar Root CA and change "When using this certificate" to Never Trust.
- Enter the Administrator Password for the Mac to make the change for all users.
Enabling Preferences in Keychain Access to use OCSP and CRL
You can enable Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) to obtain the revocation status of X.509 Certificates. This may hinder performance so we recommend that individual users set these options only temporarily.
- Open up your Keychain Access Application located in Applications/Utilities folder.
- Selet KeyChain Access>Prefences and toggle to the Certificates Pane.
- Set Online Certificate Status Protocol (OCSP) to Best Attempt.
- Set Certificate Revocation Listl (CRL) to Best Attempt.
- Set Priority to OCSP.
- Close Preferences and Quit the Keychain Access appliction.
The fallout continues and this compromise can be larger than first reported. We recommend setting "Staat der Nederlanden Root CA" to NEVER TRUST in Keychain Access. This will ensure that any other compromised certificates which may have been issued are block. This is a precaution, users should make sure CRL/OCSP in turned on as stated above.