back to Jitbit Blog home About this blog

Resolving issues with Android and Comodo SSL on IIS server

by Alex Yumashev · Sep 24 2016

This is a technical post for developers who have issues with Comodo SSL certificates on IIS webservers are sometimes showing "non-secure" warnings in mobile Chrome browser on Android devices (and sometimes on Macs), while everything works perfectly on desktop computers and iOS. We've had this issue in the past - some of the customers who use the hosted helpdesk app were complaining about similar issues

We use IIS web-server from Microsoft (see "my startup is Microsoft-based, here's why") and a little bit of googling shows I was not the only one with this problem. Many people are experiencing weird stuff with IIS certificates working fine on PCs and (most) Macs, but not on Android devices.

I fought with this problem for a while and finally figured a solution that I'd like to share.

But first...

How SSL certificates work and what is a "chain"?

See, a certificate "confirms" that your server is legit. The organization that gave you this certificate, in turn has been certified by another "higher level" organization. And again, and again, (these organizations are called "certification authorities - CAs"), until it all goes up to the "root" certificate authority. So a certificate is never just the certificate that holds your server's public-key for encryption, it's also a "chain" that looks like this:

Root CA -> Intermediate CA -> Intermediate CA2 -> Server Certificate

The "Root CA" here basically means, it is known by all computers, browsers and operating systems.

Ideally, a web-server should serve the whole chain, just in case your computer is not "familiar" with some of the intermediate CAs in it. But sometimes a web-server serves an incomplete, or alternative chain, that might look like this:

Root CA -> Intermediate CA2 -> Server Certificate

See, one element is missing... This can happen, for example, if an intermediate certificate was signed by several Root authorities, and the web-server has picked the wrong one.

Which is still OK cause the majority of browsers and operating systems are usually "familiar" with the missing CA. But some are not. That's why we see warnings in some browsers.

IIS is not serving the full certificate chain

If an IIS server sees multiple "root" certificate in the "trusted root store"" (a special place where Windows operating system keeps the certificates) - it might serve an alternative chain. Because it assumes, that if the certificate is in the "trusted store" - it means, everyone should "know" this certificate. Which is still OK for most modern browsers and operating systems, but not for others.

Strangely, the solution would be to remove some root certificates from the "trusted roots" store on Windows, and put them into "intermediate" store instead (yes, I know, removing something sounds scary, but you can always add this back via Windows Update).

So in my case, with "COMODO" certificates, you should download all intermediate certificates from here, install them into the "intermedaite" store. Then remove ALL the certifictes that have "COMODO" in their name from the "trusted root" store. Like "COMODO RSA Certification Authority " etc. Again - everything that has "Comodo" in the name. Then restart IIS. Also, make sure you have disabled the automatic certificate updates on Windows, so it won't restore it.

Comodo has published an article on this by the way: here but its kinda incomplete - you should remove ALL Comodo certs from the trusted store, not just the one mentioned in the article.

To add/remove certificates on Windows run "mmc", the click "File" - "Add/remove snap-in" - "Certificates" - "Computer account" - "Local machine". The "trusted" and "intermediate" stores are on the left.