Back in 2010, SSL certificate vendors upgraded their root certificates to 2048-bit encryption. This transition was troublesome but generally non-disruptive; most operating system and web server vendors upgraded their root stores and the world went on. However, older browsers likely didn’t have the newer root certificates; in these cases, a web server might need to have particular intermediary certificates installed.
The key here is “older browsers”. That category is generally assumed to be really older browsers, perhaps those long since retired from vendor support. Imagine my surprise to find that a client’s original Motorola DROID, running Android 2.2.3 (FRK76), did not like a newly-installed SSL certificate from Thawte. It seems that this handset, while new and hotly marketed at about the same time as the SSL transition, never received an updated set of root certificates. Android 2.3 was blessed with updated certificates, but 2.2 was not.
After a remarkably tangled path of searching, reading, and deduction, I finally stumbled on the Thawte support page for the intermediary certificates:
Download the Thawte Intermediate CA bundle for SSL Web Server and Thawte Wildcard certificates
This page was also invaluable in verifying that the intermediate certificates resulted in a valid certificate chain:
Thawte SSL Certificate Installation Checker
Hopefully this blog post will make someone else’s search a little shorter.