I tested ISRG root certs with android 6: it doesn't cache intermediate

Apparently Android chrome apparently doesn’t cache intermediate or not use it for crosssign,
https://valid-isrgrootx1.letsencrypt.org/ shows certificate error on android 6.
I followed like to that subdomain form https://letsencrypt.org/certificates/ , and it’s cert chains to DST root yet
so if android caches, it surely saw that cert.
import ISRG root cert manually fixed that, but that will cause “Network may be monitored” warning.

Hi,

It’s not that Android 6 not caching intermediate certificate signed by ISRG root, it’s because ISRG root was not included (officially) to Android Project until Android 7.1.1. (Some manufacture might have issued ca patches to update older Android devices, but it seems that the device you are using aren’t updated)

The Android Open Source Project added ISRG Root X1 to Android 7.1.1 Release 15 (Feb 2, 2017) Change Log

All devices that aren’t receiving security patches (with up to date CA cert stores) and have an android version below 7.1.1 will show certificate warning when browsing any websites that use ISRG root signed tls certificate. That’s the reason why you might need to update your intermediate/chain file to use the DST chain. (Or we could sit there and hope those manufacturers will update their old android devices)

Thank you

I think what @orangepizza mean is Android 6 is not caching intermediate certificate signed by DST root because after visiting a website using the intermediate certificate signed by DST root and then a website using the intermediate certificate signed by ISRG root, the last one is not working. (If it were using a cached intermediate, it could have use the intermediate certificate signed by DST root on the last website, allowing the connection without error.)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.