How do you clear SSL leaf certificates mappings to particular domains

by Bao Thien Ngo   Last Updated July 11, 2019 19:12 PM

I visit my website using Chrome on macOS Mojave, for example,, and the SSL leaf certificate is from I recently updated the CNAME record in my DNS for so that it should point When I visit, it resolves the SSL certificate at instead of

You would think clearing the cache might do the trick, but nope, whether it's Chrome's incognito mode or clearing its cache, still the same. Then I checked on both Safari, Firefox, and even tried to run the following command in my Terminal:

echo | openssl s_client -connect

with the result being:

Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

If I jump onto my brother's Windows 10 machine on the same wifi network, the website correctly pulls the SSL certificate from If I access the site via my iPhone 6, it's correctly pulling from If I browse on my MacBook via tethering on my iPhone 6, it still shows up as

So, we know that:

  1. It's not related to the browser, since all browsers are affected the same way, including openssl at the command line
  2. It's not related to the network, since other devices on the same network work fine.

I suspect that the mapping between a SSL certificate and a domain is cached somewhere at the operating system level.

Other things I've tried but did not work:

  1. Rebooting the computer by shutting it off and powering it back on
  2. Look for any expired certificates in Keychain Access (yes, already enabled viewing hidden expired certificates), but found nothing related to my website or Fastly, and did not find anything wrong with any of the Globalsign certificates.
  3. Tried to delete CRL and OCSP Cache for GlobalSign, but it's not relevant because /var/db/crls/crlcache.db, /var/db/crls/ocspcache.db, nor ~/Library/Keychains/*/ocspcache.sqlite3 exist in macOS Mojave.

Related Questions

Updated February 28, 2017 06:12 AM

Updated August 11, 2016 08:05 AM

Updated September 08, 2017 04:12 AM

Updated March 21, 2019 13:12 PM