Why does my certificate work in Chrome but not on mobile?

Mobile devices often have different trusted root certificate stores. Missing intermediate certificates cause failures on some devices but not others.

Should I still support TLS 1.2?

Yes. TLS 1.3 is preferred but TLS 1.2 is still needed for older clients. Disable TLS 1.0 and 1.1 which have known vulnerabilities.

HTTP SSL/TLS Handshake Errors — Certificate and Protocol Failures

Critical5xx server error

Overview

Fix SSL/TLS handshake errors including certificate expired, self-signed certificate, protocol version mismatch, and cipher suite negotiation failures.

Key Details

The TLS handshake establishes encryption before any HTTP data is exchanged
Common TLS versions: TLS 1.2 (widely supported) and TLS 1.3 (latest, faster handshake)
Certificate errors prevent the handshake from completing — browser shows a security warning
Cipher suite mismatch occurs when client and server have no common encryption algorithm
Certificate chain must include all intermediate certificates — missing intermediates cause errors on some devices

Common Causes

SSL certificate expired — certificates are valid for 1 year (previously 2 years)
Self-signed certificate not trusted by the client's certificate store
Missing intermediate certificate in the server's certificate chain
Server only supports TLS 1.0/1.1 which modern browsers have deprecated
Cipher suite mismatch between client and server (e.g., server only supports weak ciphers)

Steps

1Check certificate status: openssl s_client -connect example.com:443 -servername example.com
2Verify the full certificate chain: ssllabs.com/ssltest provides detailed analysis
3Renew expired certificates: use certbot for Let's Encrypt or your CA's renewal process
4Install intermediate certificates: concatenate server cert + intermediate cert in the correct order
5Enable TLS 1.2 and 1.3: disable TLS 1.0 and 1.1 for security compliance
6Use modern cipher suites: prioritize ECDHE and AES-GCM, disable RC4 and 3DES