Why does Android Chrome say my site's security certificate is not trusted?
Solution 1
You need to provide the entire certificate chain in order for it to show up as trusted.
Here's the link I got for comodo's instructions on installing the cert chain in apache: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/certificate-installation-apache--mod_ssl
I got this from http://www.sslshopper.com/ssl-checker.html#hostname=blendbee.com, which flagged your cert as not being trusted in all browsers because of an incomplete chain.
Solution 2
A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.
You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.
You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver
Related videos on Youtube
Kane
Updated on September 18, 2022Comments
-
Kane over 1 year
My site is https://blendbee.com. It's using a PositiveSSL certificate that is valid.
In Windows 8 Chrome the certificate is fine (green lock in top left corner).
But...on my Android, it's not so fine. Screenshot: http://postimg.org/image/6vc64lr1d/
Any ideas why?
The server is running Ubuntu 13.10 at Digital Ocean.
-
Kane over 9 yearsYep, this was on my Samsung Galaxy S5
-
-
rmmoul about 9 yearsAs a note, if you get a bunch of .crt files but no bundle, you may have to create your own bundle file like I did for my comodo cert: support.comodo.com/index.php?/Knowledgebase/Article/View/643/0/…
-
austinian over 7 yearsThe root cert. was in the trust store, but not the intermediate cert. The cert. chain containing all the intermediates was not included and the client was not climbing up the chain using the Authority Information Access extension (possibly because the information was not included in the cert. as presented by the server) to see if the chain led to a trusted CA.