Why is my SSL certificate untrusted on Android?

user1420752 asked:

The SSL certificate is trusted on most Desktop computers, but only some Android devices. However, even on Android devices where the certificate is untrusted, the root certificate is installed.

I must have tried a hundered ways of resolving this problem, but I think it has something to do with the AddTrust External CA Root (perhaps to do with the SHA-256 fingerprint, which is missing?).

  • The cause does not appear to be an incorrect Certificate Authority Bundle.
  • The cause does not appear to be related to time.
  • All online SSL checker tools I’ve used (e.g., https://www.ssllabs.com) say the SSL certificate is installed correctly.
  • The root certificate is located on my Android device and on my Desktop computer (see the SHA1 fingerprint in the two screenshots, which is identical).

The root certificate is installed on the Android.
The root certificate is installed on my Desktop.

My answer:

Your domain’s certificate has two paths to two different root certificate authorities.

On modern desktop browsers such as Google Chrome, as well as on newer Android versions, the path being taken is to the more recent USERTrust RSA Certification Authority root certificate. (I get this on Android 7.0 NPD90G.)

On older Android versions, the path being taken is to the older AddTrust External CA Root root certificate.

On this second path, you are missing an intermediate certificate. This is the one shown in the SSL Labs test as an “Extra download”. In order to resolve the problem, you need to obtain this intermediate certificate and add it to the certificate chain in your web server.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.