Support Desk

  1. Support Desk
  2. Knowledge Base

GeoTrust Cross Root Install on Windows Servers

Problem

Your Android mobile device returns this error when attempting to establish a secure connection with Android Mobile phones prior to version 2.2 "This certificate is not from a trusted authority"

Cause

Android mobile phones that are pre version 2.2 appear to only contain a limited number of CA root certificates for VeriSign, Thawte and GeoTrust.

Solution

Google is aware of this issue for Android mobile devices (pre 2.2 version) with limited number of CA root certificates for VeriSign, Thawte and GeoTrust. According to Google's forum, additional VeriSign, Thawte and GeoTrust roots will be included in a future release of the Android OS.

GeoTrust offers a cross root ca that is available below. The GeoTrust cross root cert allows your issued SSL server certificate to chain up to the old "Equifax Secure Certificate Authority" root which is already included in Android OS mobile devices. To resolve this issue on mobile devices, perform the following steps.

Step 1: Obtain GeoTrust Cross Root CA

  1. Copy the GeoTrust Cross Root below and past it into a text editor such as notepad. DO NOT use Microsoft Word
  2. -----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
  3. Save the file as Cross_Root.cer on your server in a location you can remember.

Step 2: Adding the Certificates Snap-in MMC:

If you do not have Certificates snap-in installed in your server's Microsoft Management Console (MMC), you'll need to install it before proceeding. Follow the instructions here to install the Certificates snap-in in the MMC.

Step 3: Install the GeoTrust Cross Root CA Certificate

For Microsoft IIS 5.0, 6.0 and 7.0

  1. Using the Console, double-click on Intermediate Certification Authorities from the right pane
  2. Right-click on Certificates from the right pane and select All Tasks > Import to open the Certificate Import Wizard
  3. Click Next
  4. Specify the location of theCross_Root.crt file obtained from Step 1 by clicking Browse
  5. Click Next
  6. By default, it will place the certificate in the Intermediate Certification Authorities store. Keep this selection and click on the Next button.
  7. Click Finish
  8. A message will appear confirming the successful import of the certificate. Click OK
  9. Keep the Console open

Step 4: Check for and Disable the GeoTrust Global CA

  1. Using the open Console, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
  2. Locate the following certificate:

    Issued to: GeoTrust Global CA
    Issued by: GeoTrust Global CA
    Valid from: 5/20/2002 to 5/20/2022
    Serial number: 02 34 56

     
  3. If this certificate is present, it must be disabled. Right click the certificate, select Properties.
  4. In the Certificate purposes section, select Disable all purposes for this certificate, then click OK


     
  5. Close MMC - there is no need to save console settings.
  6. Once this is done restart your IIS service and the error message should be resolved when you access your website.
    Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.

Step 5: Verify certificate installation

  1. Stop and start your Web server prior to any testing
    Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.
  2. To verify the SSL certificate installation, use the GeoCerts Certificate Checker

Note: There are times when even if the intermediate certificates are installed correctly and in the correctly certificates store, yet the Microsoft IIS Servers still are not sending the correct chaining to the client. If so, export the certificate from the MMC, personal store as a .pfx file. Choose to "include all certificates in the certification path" during the export. then reimport the .pfx file back into the personal store. Make sure to assign the certificate to the website in IIS again after the import. This would link all the required intermediates and root certificate and allow the server to send the correct chain.

Please contact our support team if you have any additional problems or questions.

Jan 18, 2018 Scott Rogers