Search Our Database
Using a Cross Certificate for compatibility with older devices
Overview
Older devices may not support the latest CA root certificates from GlobalSign, which can result in connection issues when accessing secure websites. In such cases, implementing a Cross Certificate provides a workaround by chaining the SSL certificate to an alternate root certificate that is compatible with these older devices. This guide outlines the steps to update your server’s SSL configuration with the Cross Certificate to ensure compatibility with legacy Android devices.
Prerequisites
- Access to the server where the SSL certificate needs to be updated.
Steps to Implement the Cross Certificate
To address compatibility issues on older devices, you can use a Cross Certificate instead of the new CA root certificate when installing AlphaSSL. The procedure for installing the Cross Certificate is similar to the standard CA root certificate installation.
Step 1: Obtain the Cross Certificate
- Download the Cross Certificate from the following link: GlobalSign Cross Certificates.
- Save the Cross Certificate to your local system for further use.
Step 2: Install the Cross Certificate on Your Server
- Log in to your server using SSH or access the server through your control panel.
- Navigate to the directory where your SSL certificates are stored.
- Save the Cross Certificate content into a file, such as cross-certificate.crt.
Step 3: Update the SSL Configuration
- Open your web server’s SSL configuration file:
- Apache: /etc/httpd/conf.d/ssl.conf or /etc/apache2/sites-available/default-ssl.conf
- Nginx: /etc/nginx/sites-available/default
- Add the Cross Certificate to the SSL certificate chain. Update your configuration as follows:
- For Apache:
SSLCertificateFile /path/to/your_certificate.crt SSLCertificateKeyFile /path/to/your_private_key.key SSLCertificateChainFile /path/to/cross-certificate.crt
- For Nginx:
ssl_certificate /path/to/your_certificate.crt; ssl_certificate_key /path/to/your_private_key.key; ssl_trusted_certificate /path/to/cross-certificate.crt;
- Save the configuration file.
Step 4: Restart the Web Server
Restart your web server to apply the updated SSL configuration:
-
- For Apache:
sudo systemctl restart httpd
or
sudo systemctl restart apache2
-
- For Nginx:
sudo systemctl restart nginx
Adding the Cross Certificate in Hosting Control Panels
Add the Cross Certificate in DirectAdmin
- Log in to DirectAdmin with your admin credentials.
- Navigate to Account Manager -> SSL Certificates.
- Click on Paste a pre-generated certificate and key.
- In the Certificate field, paste the existing SSL certificate.
- In the Certificate Authority / Intermediate Certificate field, paste the Cross Certificate.
- Click Save.
Add the Cross Certificate in cPanel
- Log in to cPanel with your credentials.
- Go to SSL/TLS under the Security section.
- Click on Manage SSL Sites.
- Find the domain you want to update and click Update Certificate.
- In the Certificate (CRT) field, paste the existing SSL certificate.
- In the Certificate Authority Bundle (CABUNDLE) field, paste the Cross Certificate.
- Click Install Certificate.
Certificate Chain in Order
When configuring the server, the certificate chain file (ca-bundle) might look like this in literal arrangement:
-----BEGIN CERTIFICATE----- [Server-Cert] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermediate-CA] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Cross-Signed-Intermediate-CA] -----END CERTIFICATE-----
Explanation of Each Part in the Chain
- Server Certificate (Server-Cert): The certificate for the website or service.
- Intermediate CA (Intermediate-CA): The main intermediate certificate in the chain.
- Cross-Signed Intermediate CA (Cross-Signed-Intermediate-CA): A certificate issued by Root-CA that acts as an additional trusted path for devices that recognize Root-CA but may not recognize Intermediate-CA.
Key Points
- New Devices: Devices that trust Intermediate-CA will validate the chain with Server-Cert → Intermediate-CA.
- Older Devices: Devices that only trust Root-CA will use the Cross-Signed-Intermediate-CA, following the chain Server-Cert → Cross-Signed-Intermediate-CA.
This setup provides backward compatibility by creating a valid certificate path for older devices, without replacing any existing root certificates.
Additional Resources
For more information on cross certificates and their usage, refer to the GlobalSign Cross Certificates Documentation.
Summary
By following these steps, you can ensure that older Android devices, which do not support the new GlobalSign root certificate, will still be able to establish secure connections using the Cross Certificate. This process helps maintain compatibility across a wider range of devices, ensuring a smooth and secure user experience.
For additional assistance or if you encounter any issues, please contact our support team at support@ipserverone.com