Legacy Client Compatibility Cross-Signed Root Certificates

ZeroSSL's certificates are widely trusted by all modern clients and the default certificate chain that we include in the "ca_bundle.crt" file makes sure of that. However, certain older legacy operating systems and clients might not be able to verify certificates that are delivered with the default chain. In case you are serving such old clients we provide additional cross-signed root CA certificates that you can add to your certificate chain in order to provide compatibility for such clients. Wherever possible we advise upgrading your clients as using end-of-life systems poses various security threats.

Compatibility for the default chain

If you serve any of the following or newer operating systems or clients you don't have to do anything:


  • MacOS Sierra 10.12.1 Public Beta 2
  • iOS 10


  • Windows XP (via Automatic Root Update; note that ECC wasn't supported by Windows until Vista)
  • Windows Phone 7


  • Firefox 3.0.4 (for ECC certificates / private keys)
  • Firefox 36 (for RSA certificates / private keys)


  • Android 2.3 (for ECC certificates / private keys)
  • Android 5.1 (for RSA certificates / private keys)


  • Java JRE 8u51


  • [Browser release on December 2012]

360 Browser:

  • SE 10.1.1550.0 and Extreme browser 11.0.2031.0

Cross-signed root CA compatibility

For any operating system or client older than the list above you can gain compatibility by installing the cross-signed root CA into your chain. Installing the cross-signed certificate will give you compatibility with the following operating systems/clients:

  • Apple iOS 3
  • Apple macOS 10.4
  • Google Android 2.3
  • Mozilla Firefox 1
  • Oracle Java JRE 1.5.0_08

Installation of the cross-signed root CA

  • Default: For standard RSA certificates and private keys please download the following cross-signed certificate: https://crt.sh/?d=1282303295
  • ECC: For ECC-based certificates (only available via custom CSRs) please download the following cross-signed certificate: https://crt.sh/?d=1282303296

After downloading the appropriate cross-signed root certificate above you have to add it to your chain. By default you receive a ZIP file from ZeroSSL when you download your certificate that contains three files, one of which is named "ca_bundle.crt". Open ca_bundle.txt in your favorite text editor and copy and paste the contents of the cross-signed root ca file that you just downloaded to the end of the ca_bundle.crt file.

The result should look like this:

After saving the file you can proceed to install your certificate as normal.

ACME Certificates

Certificates issued via ACME automatically contain the cross-signed certificate and should ensure maximum compatibility.

Was this article helpful?
1 out of 1 found this helpful