+1. Eventually, as devices age, you'd need to upgrade them unfortunately.
If you want macOS older support, probably using acme.sh client and switching to ZeroSSL SSL certificate might help as it has a cross signed AAA Certificate Services CA root certificate which was added to macOS 10.4 so old enough to support it. That's one suggestion I have for my users, switch to ZeroSSL https://blog.centminmod.com/2021/10/02/2425/centmin-mod-managing-letsencrypt-dst-root-ca-x3-certificate-expiration-on-centos-7/
The USERTrust RSA/ECC and COMODO RSA/ECC CA roots were added to the following devices since:
Apple :
- macOS Sierra 10.12.1 Public Beta 2
- iOS 10
Microsoft :
- Windows XP (via Automatic Root Update; note that ECC wasn’t supported by Windows until Vista)
- Windows Phone 7
Mozilla :
- Firefox 3.0.4 (COMODO ECC Certification Authority)
- Firefox 36 (the other 3 roots)
Google :
- Android 2.3 (COMODO ECC Certification Authority)
- Android 5.1 (the other 3 roots)
Oracle :
- Java JRE 8u51
Opera :
- [Browser release on December 2012]
360 Browser :
- SE 10.1.1550.0 and Extreme browser 11.0.2031.0
And the cross-signed AAA Certificate Services root provides compatibility to older devices:
- Apple iOS 3.
- Apple macOS 10.4.
- Google Android 2.3.
- Mozilla Firefox 1.
- Oracle Java JRE 1.5.0_08.