In 2025, some users reported issues when creating a connection in the TimeTrak App and errors when attempting to log in.

From the investigation and testing of the issue, found that Sectigo (the Certificate Authority of the SSL certificate) released a new root certificate — Sectigo Public Server Authentication Root R46 — as part of their planned security lifecycle updates.
This root was issued in late September 2024, meaning any SSL certificates issued or renewed after that date now chain up to R46.

Why Did This Cause Problems?

Older devices — specifically Android 10 (late September builds) and below — do not have the R46 root in their trusted certificate store.
When these devices connect, they cannot complete the SSL trust chain because they don’t recognise R46, resulting in a failed handshake.

The Solution

After reviewing Sectigo’s documentation, found a cross-signed intermediate chain that links R46 to an older, widely trusted root (USERTrust RSA Certification Authority).
This allows the SSL chain to validate on both modern and older devices.

Previously, the chain looked like this:

Leaf Certificate (yourdomain.com) 
   → Intermediate CA 
      → R46 Root Certificate 

It should be updated it to:

Leaf Certificate (yourdomain.com) 
   → Intermediate CA 
      → R46 Root Certificate 
         → USERTrust RSA Certification Authority (legacy trusted root) 

By updating the server’s certificate bundle to include this cross-signed chain, all devices — including older Android versions — can now complete the SSL handshake successfully.

Impact
Modern devices: No impact — they already trust R46 and complete the handshake as before.
Older devices: Fixed — they can now connect without SSL errors.

For more information on this, please contact our team on support@timetrak.co.nz