Certificate errors on old android tablets

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://communitytablets.cit.coop

My web server is (include version): IIS

The operating system my web server runs on is (include version): WS 2012

We believed we got around the DST Root CA X3 expiry last year using the ISRG Root X1 certificate however we've just been made aware some of the older tablets we have are throwing an untrusted error which I can recreate on a Android 5.1.1 tablet I've got. Reading around I can see there was a cross-signed certificate which I've now installed on our server. That seemed to work for a short while and I was getting excited, however my tablet is now showing the same error again.

Obviously I don't want to bring any sites down so am testing tentatively on our test servers.

This means I now have 3 root certificates on the servers and am after some advice on what course of action to take.

DST Root CA X3 (Issued By: DST Root CA X3) - Exp. 30/09/2021
ISRG Root X1 (Issued By: ISRG Root X1) - Exp. 04/06/2035
ISRG Root X1 (Issued By: DST Root CA X3) - Exp. 30/09/2024

My two intermediates are:

ISRG Root X1 - Exp. 15/09/2025
DST Root CA X3 - Exp. 29/09/2021

Hi @pjblink and welcome to the LE community forum :slight_smile:

I think IIS/Windows would benefit greatly by switching to an alternate CA chain.

2 Likes

I agree with Rudy. Maybe also look at this:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.