CA chain seems incomplete on domain added recently. "Issuer: GTS Root R4". The CA "GTS Root R4" should be included

The newly added domain has the universal SSL issued, but cert isn’t trusted in some mobile devices. We observed the cert has only intermediate CA “GTS CA 2P2” but has no “GTS Root R4” in the chain.


Welcome to the Cloudflare Community. :logodrop:

A root CA certificate should not be sent from the server. It needs to already exist in the client device trust store.

Comparing to a domain that added recently and to domain added a year ago,
the cert chain for the new domain does not include the root CA, which some older devices have problem validate it.


The certificate chain should never* include the root certificate. If the root CA certificate is not known to the client and trusted, sending it will not change that. For any device to trust a certificate signed by the GTS CA 2P2 intermediate CA, it must know and trust the GTS Root R4 CA certificate. If the device does not have that root CA certificate in its store, you will need to consult the operating system for guidance on adding the GTS Root R4 CA certificate to the trusted store.

* I am not referring to cross-signed certificates like the one used in the Let’s Encrypt long chain that is simultaneously an intermediate and a root. Even in that circumstance, though, the cross-signed certificate is being sent due to its role as an intermediate CA.

1 Like

The problem here is that the GTS Root certs are cross-signed with GlobalSign to allow them to work on older devices and now that Cloudflare has stopped including the GTS Root cert in the chain devices running Android 9 for example won’t trust the new certs.