Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: New GeoTrust SSL certificates and Android users

  1. #1
    joho's Avatar
    joho is offline Loyal Member
    Join Date
    Jan 2009
    Location
    Stockholm, Sweden
    Posts
    96
    Rep Power
    6

    Exclamation New GeoTrust SSL certificates and Android users

    Since GeoTrust / Thawte decided to have some fun this year and replace their Root CA, handling SSL certificate upgrades/renewals/requests for Tomcat/Apache/Jetty/Zimbra users have become somewhat more painful.

    Apart from being filled with (sometimes) confusing hints on how to solve this, merging a root CA with an intermediate CA, there is very little talk both here and in other places about how to solve the rather burning issue of Android phones not being able to connect to a Zimbra server secured with a new GeoTrust / Thawte certificate.

    The problem is with getting Android to "believe" in the CA presented in these new certificates. There are threads everywhere to the effect of "Simply combine the proper root CA from GeoTrust / Thawte and then add your intermediate CA and then deploy your new certificate" (and Bob's your uncle).

    The only problem is that this doesn't work for Android users.

    IMAP over SSL is not working (certificate error)
    Exchange ActiveSync over SSL is not working (certificate error)

    Are we the only ones that have run into this problem and not having been able to solve it?



    -joho

  2. #2
    JaymeH is offline Intermediate Member
    Join Date
    Apr 2008
    Posts
    16
    Rep Power
    7

    Default

    Yup, I too am having this problem. I just updated my Verisgn key to the new-ish VeriSign Class 3 Secure Server CA G2 cert and it poofied my android phones as well as my Zimbra Desktops. My Zimbra Desktops say that the cert is invalid or not trusted. Once a few of my iphone people get in I will test those too. Chrome and Firefox are fine and dandy with the new cert.

  3. #3
    JaymeH is offline Intermediate Member
    Join Date
    Apr 2008
    Posts
    16
    Rep Power
    7

    Default

    Iphones appear to be just fine with the new cert just like my web browsers. Androids and ZD hate the new cert.

  4. #4
    Chewie71 is offline Trained Alumni
    Join Date
    Sep 2006
    Location
    Illinois
    Posts
    371
    Rep Power
    8

    Default

    Ditto. We just put one of the new 2048 bit Geotrust certs on our Zimbra servers and Android is broken. Just adding myself to this thread...

    Matt

  5. #5
    Chewie71 is offline Trained Alumni
    Join Date
    Sep 2006
    Location
    Illinois
    Posts
    371
    Rep Power
    8

    Default

    Possible solution is to install the Cross Root CA from Geotrust...we haven't tried it yet to know for sure.

    Issue 10807 - android - Root Certificates missing from Android root store - Project Hosting on Google Code

    https://knowledge.geotrust.com/suppo...=1283360269668

    Matt

  6. #6
    Chewie71 is offline Trained Alumni
    Join Date
    Sep 2006
    Location
    Illinois
    Posts
    371
    Rep Power
    8

    Default

    Quote Originally Posted by sae65 View Post
    Does this also apply to the 1024 bit certs?
    No....but I don't know if you can get 1024 bit certs from Geotrust anymore.

    Matt

  7. #7
    sae65 is offline Active Member
    Join Date
    Mar 2009
    Posts
    46
    Rep Power
    6

    Default

    Does this also apply to the 1024 bit certs?

  8. #8
    JaymeH is offline Intermediate Member
    Join Date
    Apr 2008
    Posts
    16
    Rep Power
    7

    Default

    Just wondering if you guys that are having this problem with andriod phones are also have a problem with ZD? ZD now gives me a warning about untrusted certificate but the server and web browsers see no problems. I started a thread under the Zimbra Desktop area. ZD untrusted Verisign SSL cert

    I also want to mention that my old cert was a 2048 bit key but I only needed one intermediate cert. Android phones and ZD worked perfectly then. Now I have to have two intermediate certs for things to be happy on the server and in web browsers.

  9. #9
    sae65 is offline Active Member
    Join Date
    Mar 2009
    Posts
    46
    Rep Power
    6

    Default

    JaymeH on this thread mentioned that his ZD were no longer working with the new cert.

  10. #10
    Chewie71 is offline Trained Alumni
    Join Date
    Sep 2006
    Location
    Illinois
    Posts
    371
    Rep Power
    8

    Default

    Quote Originally Posted by Chewie71 View Post
    Possible solution is to install the Cross Root CA from Geotrust...we haven't tried it yet to know for sure.

    Issue 10807 - android - Root Certificates missing from Android root store - Project Hosting on Google Code

    https://knowledge.geotrust.com/suppo...=1283360269668

    Matt
    Anyone know where this CrossRoot cert should go? I tried putting it at the top of the commercial_ca.crt file, tried putting it at the bottom of the commercial.crt file....neither of those worked. Tried putting it at the top of the commercial.crt file and then the cert wouldn't even validate so I didn't try to deploy it.

    Should this CrossRoot cert replace the normal root cert in the file....or just slip in next to it? Does the order of the certs in the file matter?

    Matt

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •