Overview Users Self-signed Admins Cross-signed OpenSSL  Home
Q.:  My users complain about unknown-issuer warnings. How do I solve this ?
A.:  Do you remember the 5 roots known to Ericsson/Nokia? With Internet Explorer, Firefox, and Safari, one might not notice any issue at all. Although online test-tools exist (Qualys, Microsoft), which one checks for legacy roots? Please, have a look at my small collection of cross-signing intermediate certificates. Install the path (chain) for your identity certificate. If your authority is missing, ask them for a cross-signing certificate. Do not forget to send me a copy so everyone benefits from your effort. For more explanations, see this example and this paper (chapters 4 and 5.2).

Q.:  No cross-signing certificate available, which authority to choose from ?
A.:  The mentioned roots belong to Entrust and DigiCert (VeriSign, thawte, Equifax, and GTE CyberTrust). GlobalSign and Sectigo (AddTrust) are within the top-ten roots. AddTrust was not supported till Symbian^3 released in 2011. GlobalSign was not supported till Symbian/S60 3rd Edition Feature Pack 2. Even those have an expired version. If you go for AddTrust or GlobalSign, you would miss phones like Nokia E71 and Nokia E72. Although old, those are still used here in Western Europe. If you go for Go Daddy (ValiCert), you are going to miss the Ericsson Java-Platform sold till 2011. Some phones came with an expired version of GTE CyberTrust; Android 2.1 did not come with Baltimore CyberTrust. Although mobile phones are phased out after two years here in Western Europe, developing countries are much slower in replacing those. For example, Windows Phone 7 is still sold today: no AIA to fetch intermediates and a limited set of authorities …

Q.:  How to double check my installation ?
A.:  Nokia E71, Ericsson Naite, and the free tool OpenSSL …