Certificate Chain Confusion

Nummer378 · October 26, 2021, 10:57am

IIS servers will usually refuse to serve the long chain nowadays (because it doesn't like having an expired certificate in the chain).

So.. It's impossible to support Android 7 and older on IIS? (In a non-hacky way?)

Correct. There are workarounds but Windows builds it's own certificate chain for your certificate which it then uses (when acting as a server or a client), regardless of the chain you may have constructed in the installed PFX (stored in the machine certificate store).

Options/workarounds include:

Proxying your service via nginx, caddy, apache etc (these construct the chain from pem files)

Proxying your service via Cloudflare

Moving ISRG Root X1 to Untrusted (not recommended, can affect outgoing https calls from your server to other services, like Let's Encrypt).

Using an alternative CA

Note that there will be another round of root/intermediate expiries in 2024/25 etc and at that point those Android devices will be entirely out of luck as well.

Topic		Replies	Views
So.. It's impossible to support Android 7 and older on IIS? (In a non-hacky way?) Help	4	2594	November 28, 2021
Android Browser Showing Security Risk or Connection Not Secured Help	34	5942	December 25, 2021
Site not secure Help	12	2821	November 28, 2021
Serve long chain X3 to support older clients Help	5	789	November 6, 2021
DST Root CA X3 expiry countdown ISRG/Organizational	103	10177	May 23, 2022

Certificate Chain Confusion

Related topics