Overview Users Self-signed Admins Cross-signed OpenSSL  Home
Q.:  What is this site about ?
A.:  To exchange data securely, you have to trust the other party. To trust, you must know that party. Because you cannot know all webservices on the Internet, a chain-of-trust was introduced: You trust your web-browser manufacturer and he trusts so called certificate-authorities (CA). Out of these CAs, your webservice administrator chooses one and asks for an identity certification of himself. That CA creates a certificate which the administrator installs, the trust anchor. Now, the trouble starts:

  1. Web-browsers trust a limited set of CAs. Microsoft, Mozilla, and Apple trust more that 100 CAs. Ericsson and Nokia, their intersection contains 5 CAs.
  2. Microsoft and Apple fetch the latest CAs while you surf. All others use a fixed set of certificates (trust store) only you can update yourself.
  3. Since the year 2010, CAs introduce new self-signed certificates (root) because many existing ones would expire around 2020. In this transition phase to stay compatible with the existing root store of your mobile phone, CAs introduce a certificate between the legacy root of the CA and the identity certificate of your webservice, called a cross-signed intermediate certificate. That new root is added by your Web-browser manufacturer to its trust store. The compatible cross-signed intermediate certificate chaining up to the legacy root should be installed by your webservice administrator (until the legacy root expires in around 2020).
  4. Mozilla caches intermediate certificates while you surf on other webpages. Microsoft and Apple scan a field of the certificate itself to find the intermediate certificate (AIA). Your mobile phone does neither.
Now, you know the causing. Let’s go for the solution …