New GeoTrust SSL certificates and Android users

[joho]

Since GeoTrust / Thawte decided to have some fun this year and replace their Root CA, handling SSL certificate upgrades/renewals/requests for Tomcat/Apache/Jetty/Zimbra users have become somewhat more painful.

Apart from being filled with (sometimes) confusing hints on how to solve this, merging a root CA with an intermediate CA, there is very little talk both here and in other places about how to solve the rather burning issue of Android phones not being able to connect to a Zimbra server secured with a new GeoTrust / Thawte certificate.

The problem is with getting Android to "believe" in the CA presented in these new certificates. There are threads everywhere to the effect of "Simply combine the proper root CA from GeoTrust / Thawte and then add your intermediate CA and then deploy your new certificate" (and Bob's your uncle).

The only problem is that this doesn't work for Android users.

IMAP over SSL is not working (certificate error)
Exchange ActiveSync over SSL is not working (certificate error)

Are we the only ones that have run into this problem and not having been able to solve it?



-joho

[JaymeH]

Yup, I too am having this problem. I just updated my Verisgn key to the new-ish VeriSign Class 3 Secure Server CA G2 cert and it poofied my android phones as well as my Zimbra Desktops. My Zimbra Desktops say that the cert is invalid or not trusted. Once a few of my iphone people get in I will test those too. Chrome and Firefox are fine and dandy with the new cert.

[JaymeH]

Iphones appear to be just fine with the new cert just like my web browsers. Androids and ZD hate the new cert.

[Chewie71]

Ditto. We just put one of the new 2048 bit Geotrust certs on our Zimbra servers and Android is broken. Just adding myself to this thread...

Matt

[Chewie71]

Possible solution is to install the Cross Root CA from Geotrust...we haven't tried it yet to know for sure.

Issue 10807 - android - Root Certificates missing from Android root store - Project Hosting on Google Code

https://knowledge.geotrust.com/suppo...=1283360269668

Matt

[Chewie71]

Quote:

Originally Posted by sae65

Does this also apply to the 1024 bit certs?

No....but I don't know if you can get 1024 bit certs from Geotrust anymore.

Matt

[sae65]

Does this also apply to the 1024 bit certs?

[JaymeH]

Just wondering if you guys that are having this problem with andriod phones are also have a problem with ZD? ZD now gives me a warning about untrusted certificate but the server and web browsers see no problems. I started a thread under the Zimbra Desktop area. ZD untrusted Verisign SSL cert

I also want to mention that my old cert was a 2048 bit key but I only needed one intermediate cert. Android phones and ZD worked perfectly then. Now I have to have two intermediate certs for things to be happy on the server and in web browsers.

[sae65]

JaymeH on this thread mentioned that his ZD were no longer working with the new cert.

[Chewie71]

Quote:

Originally Posted by Chewie71

Possible solution is to install the Cross Root CA from Geotrust...we haven't tried it yet to know for sure.

Issue 10807 - android - Root Certificates missing from Android root store - Project Hosting on Google Code

https://knowledge.geotrust.com/suppo...=1283360269668

Matt

Anyone know where this CrossRoot cert should go? I tried putting it at the top of the commercial_ca.crt file, tried putting it at the bottom of the commercial.crt file....neither of those worked. Tried putting it at the top of the commercial.crt file and then the cert wouldn't even validate so I didn't try to deploy it.

Should this CrossRoot cert replace the normal root cert in the file....or just slip in next to it? Does the order of the certs in the file matter?

Matt