RapidSSL certificate not trusted on Android tablet
I've installed a RapidSSL certificate, with intermediate certificate, on the site address removed, using DirectAdmin. The RapidSSL installation checker reports a successful installation.
However, when I visit the site on an Archos 10.0 tablet with Android 2.2, it complains that the certificate was not issued by a trusted authority. It works fine on my Sony Ericsson Arc (phone) with Android 2.3.
Is there anything I can do to fix this on the server side (without touching the tablet)? Obviously if that version of Android simply doesn't trust RapidSSL, I can't do anything, but maybe there's a misconfiguration with my CA chain or som开发者_JAVA百科ething?
Late response I know, but I had the same problem. Installing the CA for both RapidSSL and GeoTrust on the server-side solved it for me.
http://support.servertastic.com/rapidssl-and-geotrust-certificate-not-trusted-on-mobile-device/
This is the RapidSSL and Geotrust CA bundle you need.
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
Documentation of some providers:
- RapidSSL
- Goddady
It seems, that the (new) GeoTrust Root CA is not installed on various mobile devices: http://support.servertastic.com/rapidssl-and-geotrust-certificate-not-trusted-on-mobile-device/
You can cross-reference that CA to other known Root-CAs. I added the Cross-Root CA Cert to the ca-bundle/intermediate Cert. After that it worked on Android:
Copy Geotrust Cross Root CA Certificate: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426&actp=search&viewlocale=en_US&searchid=1283360269668
Add that Cross Root CA Cert to the RapidSSL and Geotrust CA bundle file: https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
Then install this new bundle file as intermediate.pem or ca-bundle.crt on your Server.
I had the same problem, but it had nothing to do with the support of RapidSSL's or GeoTrust's certificates: I had concatenated the server and intermediate certificates together in the wrong order, when serving the SSL certificate chain.
So make sure your server's certificate comes first in the bundle, e.g.:
cat server.pem intermediate.pem > bundle.pem
Hello in my case (Geotrust RapidSSL), CentOS 6, apache2 settings, trusted SSL for Android devices are:
SSLCertificateFile /etc/httpd/ssl/domain.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain.key
SSLCertificateChainFile /etc/httpd/ssl/intermediate.crt
The catch is that apache does not need bundle certificate. Just place your crt found in mail from Geotrust
- 1st section in your mail with headers -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- in domain.crt file, named as you wish, and
- 2nd section found under INTERMEDIATE CA: with headers -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- .. dont miss any dash... and plased in a intermediate.crt file
- Find your ssl.conf file uncomment and place values, Done!
- In case with many hosts create a seperate ssl-domain.conf for your host
Yes, it's fixable. What you need to do is load the root certificate (that is, the public key of the RapipSSL server--in your case, it's the "GeoTrust Global CA") into the Android device so it knows to trust that certificate authority.
There's a question on the Android StackExchange that suggests multiple ways you can do this.
In that case... unfortunately, the only way to fix it on the server side is to buy an SSL certificate from a provider that is trusted on all the devices you want to use the site. Sadly, this almost always means buying the more expensive SSL certificates from the biggest CAs. (E.g. in my experience, the RapidSSL line was not trusted by handhelds with iOS and WinMobile, but the parent company GeoTrust's base-level certificate was.)
Or... you could provide documentation for your end-users on how to trust the cert on their devices.
精彩评论