Untrusted Certificate Error on Android

May 25, 2018 in Windows and Certificate FAQ

Certificate is not installed correctly; the certificate needs to be chained back to the Addtrust root certificate in order to be trusted on the Android.

The issue is that the Windows server is not presenting the complete certificate chain; clients which do not have the complete certificate chain will result in this error as encountered on the Android phone. In order to resolve this, on the server which this certificate is installed on, please open the MMC (Microsoft Management Console), and add the certificate snap-in for the computer account on the local computer.

In the Intermediate Certification Authorities folder, verify if the Sectigo RSA Domain Validation Secure Server CA and Sectigo RSA Certification Authority(issued to Sectigo RSA Certification Authority, issued by AddTrustExternal CA Root) are installed in this certificate store.

In the Trusted Root Certification Authorities folder verify if the AddTrustExternal CA Root is installed. Also, if you see the Sectigo RSA Certification Authority (issued to and issued by Sectigo RSA Certification Authority with an expiration date of January 18, 2038) is present, if it is please delete this certificate.

  • If any of these certificates are missing the intermediate and root certificates were provided to you in the .zip file when the certificate was issued, or are available via this support article -
  • If you had to delete the Sectigo RSA Certification Authority from the Trusted Root Authorities folder, you will also need to disable automatic root certificate updates on the server -

If you have performed these steps and the certificate chain has not updated on the server, to force IIS to update the certificate chain you will need to either change the certificate binding in IIS to another certificate, and then switch the certificate bindings to the correct certificate. Alternately, you will need to restart the server.