Search Our Database

Using a Cross Certificate for compatibility with older devices

Last updated on |

Overview

Older devices may not support the latest CA root certificates from GlobalSign, which can result in connection issues when accessing secure websites. In such cases, implementing a Cross Certificate provides a workaround by chaining the SSL certificate to an alternate root certificate that is compatible with these older devices. This guide outlines the steps to update your server’s SSL configuration with the Cross Certificate to ensure compatibility with legacy Android devices.

 

Prerequisites

  • Access to the server where the SSL certificate needs to be updated.

 

Steps to Implement the Cross Certificate

To address compatibility issues on older devices, you can use a Cross Certificate instead of the new CA root certificate when installing AlphaSSL. The procedure for installing the Cross Certificate is similar to the standard CA root certificate installation.

Step 1: Obtain the Cross Certificate

  1. Download the Cross Certificate from the following link: GlobalSign Cross Certificates.
  2. Save the Cross Certificate to your local system for further use.

 

Step 2: Install the Cross Certificate on Your Server

  1. Log in to your server using SSH or access the server through your control panel.
  2. Navigate to the directory where your SSL certificates are stored.
  3. Save the Cross Certificate content into a file, such as cross-certificate.crt.

 

Step 3: Update the SSL Configuration

  1. Open your web server’s SSL configuration file:
    • Apache: /etc/httpd/conf.d/ssl.conf or /etc/apache2/sites-available/default-ssl.conf
    • Nginx: /etc/nginx/sites-available/default
  2. Add the Cross Certificate to the SSL certificate chain. Update your configuration as follows:
    • For Apache:
    SSLCertificateFile /path/to/your_certificate.crt 
    
    SSLCertificateKeyFile /path/to/your_private_key.key 
    
    SSLCertificateChainFile /path/to/cross-certificate.crt
    • For Nginx:
    ssl_certificate /path/to/your_certificate.crt; 
    
    ssl_certificate_key /path/to/your_private_key.key; 
    
    ssl_trusted_certificate /path/to/cross-certificate.crt;
  3. Save the configuration file.

 

Step 4: Restart the Web Server

Restart your web server to apply the updated SSL configuration:

    • For Apache:
sudo systemctl restart httpd

or

sudo systemctl restart apache2

 

    • For Nginx:
sudo systemctl restart nginx

 

 

Adding the Cross Certificate in Hosting Control Panels

Add the Cross Certificate in DirectAdmin

  1. Log in to DirectAdmin with your admin credentials.
  2. Navigate to Account Manager -> SSL Certificates.
  3. Click on Paste a pre-generated certificate and key.
  4. In the Certificate field, paste the existing SSL certificate.
  5. In the Certificate Authority / Intermediate Certificate field, paste the Cross Certificate.
  6. Click Save.

Add the Cross Certificate in cPanel

  1. Log in to cPanel with your credentials.
  2. Go to SSL/TLS under the Security section.
  3. Click on Manage SSL Sites.
  4. Find the domain you want to update and click Update Certificate.
  5. In the Certificate (CRT) field, paste the existing SSL certificate.
  6. In the Certificate Authority Bundle (CABUNDLE) field, paste the Cross Certificate.
  7. Click Install Certificate.

 

 

 

Certificate Chain in Order

When configuring the server, the certificate chain file (ca-bundle) might look like this in literal arrangement:

-----BEGIN CERTIFICATE-----
[Server-Cert]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[Intermediate-CA]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[Cross-Signed-Intermediate-CA]
-----END CERTIFICATE-----

Explanation of Each Part in the Chain

  • Server Certificate (Server-Cert): The certificate for the website or service.
  • Intermediate CA (Intermediate-CA): The main intermediate certificate in the chain.
  • Cross-Signed Intermediate CA (Cross-Signed-Intermediate-CA): A certificate issued by Root-CA that acts as an additional trusted path for devices that recognize Root-CA but may not recognize Intermediate-CA.

Key Points

  • New Devices: Devices that trust Intermediate-CA will validate the chain with Server-Cert → Intermediate-CA.
  • Older Devices: Devices that only trust Root-CA will use the Cross-Signed-Intermediate-CA, following the chain Server-Cert → Cross-Signed-Intermediate-CA.

This setup provides backward compatibility by creating a valid certificate path for older devices, without replacing any existing root certificates.

 

Additional Resources

For more information on cross certificates and their usage, refer to the GlobalSign Cross Certificates Documentation.

 

 

 

Summary

By following these steps, you can ensure that older Android devices, which do not support the new GlobalSign root certificate, will still be able to establish secure connections using the Cross Certificate. This process helps maintain compatibility across a wider range of devices, ensuring a smooth and secure user experience.

For additional assistance or if you encounter any issues, please contact our support team at support@ipserverone.com