Fix Trust Issues with Android Devices on Windows Server 2008 R2

Some users of Windows Server 2008 R2 may have noticed a problem with their certificates not being accepted by Android devices. This article will explain why this happens and what to do to fix it.

What’s Causing This Issue?
How Do I Fix It?

 


What’s Causing This Issue?

This issue arises because Windows Server 2008 R2 automatically assigns a self-signed certificate ‘USERTrust RSA Certification Authority’ to the root store of your website. This is not recommended, since this is not considered a trusted CA root certificate by all browsers and devices. (You will however find a ‘USERTrust RSA Certification Authority’ entry as part of your intermediate bundle for certificates provided to you by SSL.com.) This is why visitors to your site using Android devices in particular (and possibly other visitors as well) will have received untrusted site warnings.

How About a Graphic?

Sure! Take a look this chart (click to enlarge it) to see the items installed to make your SSL.com certificate work correctly:

WinServer2008R2_Android_Trust_01

 

The Root store contains the AddTrust External CA Root certificate. (This is the root for SSL.com certificates.)

The Intermediate store has two certificates:

  1. A USERTrust RSA Certification Authority certificate (signed by AddTrust), and
  2. Your SSL.com DV CA.

The Personal store will contain your server certificate.


Windows Server 2008 R2 manages automatically trusted certificates, and may insert a separate, self-signed USERTrust item without any action on your part – thus, your server might well have this configuration:

WinServer2008R2_Android_Trust_02

In this case, the Root store also contains a self-signed certificate (the USERTrust RSA Certification Authority entry) which is the “root” of the problem. (Thanks, I’m here all week – try the shrimp scampi.)

Okay – So How Do I Fix This?

It’s actually quite easy to correct this issue – just disable the self-signed USERTrust certificate in the root store using your Microsoft Management Console (or MMC). This will allow the certificate that was signed by AddTrust to be accepted and utilized for your SSL.com certificate.

Here’s how:

1. Open MMC by pressing the Windows key on your keyboard and then typing “MMC”…

W2008R2_Android_Fix_01

…then hit Enter or double-click the icon to start the application.

W2008R2_Android_Fix_02

2. In MMC, select File > Add/Remove Snap-In (or type control-M).

W2008R2_Android_Fix_03

3. Add the “Certificates” Snap-In.


W2008R2_Android_Fix_04
4. Select “Computer Account” and click the Next button…

W2008R2_Android_Fix_05

…then select “Local computer”, then the Finish button.

W2008R2_Android_Fix_06
5. Click OK to close the Add/Remove Snap-In wizard.

6. In the MMC, click the arrow next to “Certificates (Local Computer)” to reveal the various certificate stores, then click the arrow next to “Trusted Root Certification Authorities”, and finally click the “Certificates” folder.

W2008R2_Android_Fix_08

7. In the list of certificates, look for an entry that is named “USERTrust RSA Certification Authority”, which is ‘Issued By’ the same name.


W2008R2_Android_Fix_09
8. Right-click the “USERTrust RSA Certification Authority” entry and select “Properties” from the dropdown menu.

9. In the Properties panel, select “Disable all purposes for this certificate”, then click Apply to implement the changes and OK to close the panel.

W2008R2_Android_Fix_10

10. Now restart your Windows Server 2008 R2 to have your changes take effect.

That’s it. Let us know if you have any problems by emailing us at Support@SSL.com.