We've seen something like this before, when Setigo was dealing with a root cert that was close to expiring -- they decided to rotate around some intermediate certs 'to make it easy', which worked for some devices, but ended up causing heartache for about a year for Android devices that didn't regularly receive updates.
The path of least resistance is to get a new SSL cert from one of the major players and don't use the company that generated your cert for a awhile. This is a 'them' problem that is becoming a 'you' problem. Certs from Verisign, Namecheap, godaddy, etc. are all well supported and work across all devices.
If you don't want to go that route, you can push the intermediate cert to Android devices. It will involve either an MDM solution on each phone or you walking through each user on the 5 step process (email the cert, have them save it to the device, have them go to the security settings and import it as a trusted cert).
------------------------------
Nick Kwiatkowski
Director of Design and Engineering
Michigan State University
East Lansing MI
------------------------------
Original Message:
Sent: 03-23-2023 10:45 AM
From: Timika Franklin
Subject: Workplace and Android
We have run into an issue on workplace when trying to configure workplace on an Android phone via a URL and manual configuration. Regardless of how we try to configure Workplace on an Android phone, we continue to get a certificate error. Our vendor has determined that it is an intermediate certificate issue with the trust store and when we manually installed the certificate, we are able to get it to work. Below is an explanation of the issue from our vendor.<o:p></o:p>
Per the vendor – The intermediate certificate is included in your certificate bundle on AADS, but it was missing from the trust store on the Android, unlike iOS where those public certs seem to exist in the iOS trust store already. The only cert those trust stores don't have is the actual public cert you had signed, but the iOS trust store should contain the root & intermediate of the different public internet providers like GoDaddy, GlobalSign, Verisign, etc. apparently the Android was missing this intermediate, so you guys must manually install that in the trust store of the Android like we did on Friday. without the rootCA & intermediate, it won't be able to initially negotiate the certs that the SBC has & AADS tells it to get additionally when using https/443.<o:p></o:p>
Any help that you might be able to provide would be much appreciated. This is an issue as we can't have every Android user across multiple state agencies install a certificate manually to get Workplace operational. <o:p></o:p>
------------------------------
Timika Franklin
Customer Service Manager
State of MS - Dept of Information Technology Services
Jackson MS
------------------------------