Now - a few days - later, the diagnostic console interface for apple service techs will show that the CA for the site is untrusted (everywhere but in safari of course).
As it is the apple way to not actually inform about the security implications pre patch, I'm here to ask and ponder what is going on over there?
Here's the excerpt of openssl s_client diagnostics.apple.com:443
https://pastebin.com/UjSFq6RT