GeoTrust Cross Root Install on Windows Servers


Your Android mobile device returns this error when attempting to establish a secure connection with Android Mobile phones prior to version 2.2 "This certificate is not from a trusted authority"


Android mobile phones that are pre version 2.2 appear to only contain a limited number of CA root certificates for VeriSign, Thawte and GeoTrust.


Google is aware of this issue for Android mobile devices (pre 2.2 version) with limited number of CA root certificates for VeriSign, Thawte and GeoTrust. According to Google's forum, additional VeriSign, Thawte and GeoTrust roots will be included in a future release of the Android OS.

GeoTrust offers a cross root ca that is available below. The GeoTrust cross root cert allows your issued SSL server certificate to chain up to the old "Equifax Secure Certificate Authority" root which is already included in Android OS mobile devices. To resolve this issue on mobile devices, perform the following steps.

Step 1: Obtain GeoTrust Cross Root CA

  1. Copy the GeoTrust Cross Root below and past it into a text editor such as notepad. DO NOT use Microsoft Word
  2. -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  3. Save the file as Cross_Root.cer on your server in a location you can remember.

Step 2: Adding the Certificates Snap-in MMC:

If you do not have Certificates snap-in installed in your server's Microsoft Management Console (MMC), you'll need to install it before proceeding. Follow the instructions here to install the Certificates snap-in in the MMC.

Step 3: Install the GeoTrust Cross Root CA Certificate

For Microsoft IIS 5.0, 6.0 and 7.0

  1. Using the Console, double-click on Intermediate Certification Authorities from the right pane
  2. Right-click on Certificates from the right pane and select All Tasks > Import to open the Certificate Import Wizard
  3. Click Next
  4. Specify the location of theCross_Root.crt file obtained from Step 1 by clicking Browse
  5. Click Next
  6. By default, it will place the certificate in the Intermediate Certification Authorities store. Keep this selection and click on the Next button.
  7. Click Finish
  8. A message will appear confirming the successful import of the certificate. Click OK
  9. Keep the Console open

Step 4: Check for and Disable the GeoTrust Global CA

  1. Using the open Console, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
  2. Locate the following certificate:

    Issued to: GeoTrust Global CA
    Issued by: GeoTrust Global CA
    Valid from: 5/20/2002 to 5/20/2022
    Serial number: 02 34 56

  3. If this certificate is present, it must be disabled. Right click the certificate, select Properties.
  4. In the Certificate purposes section, select Disable all purposes for this certificate, then click OK

  5. Close MMC - there is no need to save console settings.
  6. Once this is done restart your IIS service and the error message should be resolved when you access your website.
    Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.

Step 5: Verify certificate installation

  1. Stop and start your Web server prior to any testing
    Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.
  2. To verify the SSL certificate installation, use the GeoCerts Certificate Checker

Note: There are times when even if the intermediate certificates are installed correctly and in the correctly certificates store, yet the Microsoft IIS Servers still are not sending the correct chaining to the client. If so, export the certificate from the MMC, personal store as a .pfx file. Choose to "include all certificates in the certification path" during the export. then reimport the .pfx file back into the personal store. Make sure to assign the certificate to the website in IIS again after the import. This would link all the required intermediates and root certificate and allow the server to send the correct chain.

Please contact our support team if you have any additional problems or questions.

Jan 18, 2018 Scott Rogers