 |
       |
 |
 |
| Q.: |
What is this site about ? |
| A.: |
To exchange data securely, you have to trust the other party. To trust, you must know that party. Because you cannot know all webservices on the Internet, a chain-of-trust was introduced: You trust your web-browser manufacturer and he trusts so called certificate-authorities (CA). Out of these CAs, your webservice administrator chooses one and asks for an identity certification of himself. That CA creates a certificate which the administrator installs, the trust anchor. Now, the trouble starts:
|
- Web-browsers trust a limited set of CAs. Microsoft, Mozilla, and Apple trust more that 100 CAs. Ericsson and Nokia, their intersection contains 5 CAs.
- Microsoft and Apple fetch the latest CAs while you surf. All others use a fixed set of certificates (trust store) only you can update yourself.
- Since the year 2010, CAs introduce new self-signed certificates (root) because many existing ones would expire around 2020. In this transition phase to stay compatible with the existing root store of your mobile phone, CAs introduce a certificate between the legacy root of the CA and the identity certificate of your webservice, called a cross-signed intermediate certificate. That new root is added by your Web-browser manufacturer to its trust store. The compatible cross-signed intermediate certificate chaining up to the legacy root should be installed by your webservice administrator (until the legacy root expires in around 2020).
- Mozilla caches intermediate certificates while you surf on other webpages. Microsoft and Apple scan a field of the certificate itself to find the intermediate certificate (AIA). Your mobile phone does neither.
|
|
Now, you know the causing. Let’s go for the solution … |
|
 |
 |
 |
 |
|