We use RapidSSL as our SSL certificate authority for our servers and recently came across problems when we renewed them; this note might be useful for others in a similar position.
A number of the SSL Certificate Authorities have moved to using new 2048 bit keys to sign certificates. The only major problem with this, is that the new key they are using isn't trusted by many existing devices, as the devices pre-date the new certificate. For operating systems (Mac/Windows etc) or software, this can be easily remedied by a patch, update or new version of the software. Those people with things like mobile phones would need a new firmware update - not something that happens overnight, if at all.
With our new RapidSSL certificate, we unknowingly switched from an existing 1024 bit CA certificate, to a new 2048 bit one; the desktop email client and web browser took it all in their stride, but not the email client on my Android phone (an HTC Desire).
Email chats with the SSL certificate supplier pointed me towards getting a Certificate Authority chain file set up on the server, so that the Android device could get the new certificates online. While technically this was the right approach, the key fact missing from the information was that the chain file had to have it's contents in a particular order.
For our RapidSSL certificate, this meant:
[RapidSSL Intermediate certificate]
[Equifax Cross Root certificate]
[Equifax Root certificate]
Drop these into a text file and then deploy them out from the Apache server using the 'SSLCACertificateFile' directive; from the Cyrus email server using the 'tls_ca_file' directive, and finally from Postfix, using the 'smtpd_tls_CAfile' directive.
With the contents of the file in the wrong order, the Android phone would complain about connecting to the secure website, and give a 'Network Error' message when talking to the mail server - useful. Sort out the file into the right order, and the messages go away.
The first two can be downloaded together (in the right order!) from here the third can be obtained from here; append the files together and make sure the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines are not joined together as one.