Serve long chain X3 to support older clients

We use older Android clients (<7.1.1) that do not work anymore with the X1 certificate. PreferredIssuer is set to null.
The certificate was created with the acme-win client (v2.1.19) and used in IIS. It only serves the short chain (->R3->X1), though.
I would like to have the long chain (->R3->X1->DST Root CA X3) served as well, to support the older devices. Any idea?

The long chain you want is the current default, for the exact purpose of supporting older android devices like you want. I don't know why your client did not use that.

You can manually update your server to serve that chain -- the EndEntity/LeafCertificate is compatible with the long chain's keys.

1 Like

I tried to create the certificate with different settings (also setting the PreferredIssuer) but didn't work out. With the default PreferredIssuer null, the certmgr shows the R3 and X1 (created by X3) alongside my certificate, which still only shows and serves the short path. How do I update it, so it serves the long chain?

1 Like

If this is Windows Server/IIS, you want to read this:

1 Like

thanks. Seems like that IIS doesn't want to serve invalid certificates (X3) if there is a valid certificate (X1).
The workaround for moving the X1 to the untrusted store has some limitations so that the application did not work properly anymore, hence I switched to another CA.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.