I have .pkcs12 certificate and after installing it on android (5.0) device it is listing under settings->security->Trusted credentials->User tab.
with the help of below code I could able to list all the certificates including the one in system tab under Trusted credentials but I want only User certificates.
KeyStore keystore = KeyStore.getInstance("AndroidCAStore");
I want to list out only user certificates and show it to user.
Thanks,
Vinod
Related
I want to make sure I understand which Certificate Authorities are really trusted by Google Chrome so I can implement similar logic in my custom browser using WebView. I followed these steps:
Open Settings.
Tap “Security & location”
Tap “Encryption & credentials”
Tap “Trusted credentials.” This will display a list of all trusted certs on the device.
The list is Alphabetical and Sectigo RSA Extended Validation Secure Server CA is not there. However when I start Google Chrome and navigate to https://sectigo.com/ the browser shows that their certificate is OK. Any idea why?
We are using user certificates for authentication from our mobile application to an F5 server. We have tested the process using a test certificate that we installed and created a keystore to use in creating our SSLContext object. For production we are using a MDM to dynamically create and install the user certificate onto an android device. This I believe is placing the certificate into the /data/misc/keystore location. The problem we are facing is that we cannot access this user certificate and create an SSLContext with it.
In our testing we have verified that the certificate is on the device by installing Open VPN for Android. The certificate shows up under Android Certificates in Open VPN but requires the user to select it (this is not an option for our application, we need to grab the certificate programmatically).
Everything we have found either deals with CA certs (which we can access), or having the .cer or .pfx file and installing and creating the keystore like we were doing with our test certificate.
Is there a way to access user installed certificates to use in creating an SSLContext?
Our Android version is 4.1.2 (API 16).
We are new to android development and any guidance would be appreciated.
Thanks,
Mike
In order to access user credentials stored on the device keystore, you need to get a permission from the user.
Specifically you need to call one of the KeyChain.choosePrivateKeyAlias() (see KeyChain documentation).
Once you have the alias (you'll get it in the KeyChainAliasCallback), you can use (from an Activity or Service):
PrivateKey key = KeyChain.getPrivateKey(this, alias);
X509Certificate[] chain = KeyChain.getCertificateChain(this, alias);
How about using something like:
SSLContext sslContext
= SSLConnections.getSSLContext(keyStoreFile, keyStoreFilePassword);
httpsURLConnection.setSSLSocketFactory(sslContext.getSocketFactory());
Also you can take a look in this link
I had created an app which would internally generate key pair and use the same to encrypt/decrypt some sample data.
Now my requirement is to use the key pair from an installed certificate on the device to encrypt/decrypt.
To try this I had installed a test certificate which I downloaded from some site. When I installed the certificate, I got message saying that certificate was installed successfully. But I am unable to find that certificate in
Settings→Security→Trusted credentials→System/User.
I don't know whether the certificate really got installed or not.
So I would like to know what is the correct procedure to install a digital certificate on an Android device with 4.1.2 android OS.
So I would like to know what is the correct procedure to install a digital certificate on an Android device with 4.1.2 android OS
From Android Help Center, Working with Certificates:
Install client & CA certificates
To install a certificate from your device's internal storage:
Copy the certificate or key store from your computer to the root of your device's internal storage (that is, not in a folder).
Go to Settings > Personal > Security > Credential storage > Install from storage.
Touch the filename of the certificate or keystore to install. Only certificates that you haven't already installed are displayed.
If prompted, enter the key store password and touch OK.
Enter a name for the certificate and choose either VPN and apps or Wi-Fi in the credential use menu, and touch OK.
Work with CA certificates
Touch Settings > Personal > Security > Credential storage > Trusted credentials. The trusted credentials screen has two tabs:
System displays certificate authority (CA) certificates that are
permanently installed in the ROM of your phone.
User displays any CA certificates that you have installed yourself,
for example in the process of installing a client certificate.
To examine the details of CA certificate, touch its name. A scrolling screen displays the details.
To remove or disable a CA certificate, scroll down to the bottom of the details screen and touch either Disable for system certificates or
Remove for user certificates.
When you disable a system CA certificate, the button at the bottom of
its details screen changes to Enable, so you can enable the
certificate again if necessary. When you remove a user-installed CA
certificate, it is gone permanently and must be re-installed if you
want it back.
In the confirmation dialog that appears, touch OK.
My objective:
Create an EAP WiFi configuration - including the CA Certificate - in Android programmitcally.
Problem:
How do I install a CA Certificate programmatically (and then reference that certificate in the EAP WiFi configuration)?
I found a very useful link already that allows me to create and save EAP WiFi configurations here:
How to programmatically create and read WEP/EAP WiFi configurations in Android?
However this assumes that you have already installed the CA Certificate on the device. I would like to install the certificate within my app - either from the resources in the app, or sent from a server.
Is this even possible? (Rooting is not an option in this case.)
If so, how?
Additional info...
I also found a way to add a certificate to a KeyStore:
https://stackoverflow.com/a/4490543/1172101
However this is used specifically for creating a secure socket and connecting via HTTPS. I want to use the certificate for WiFi.
Unfortunately, I have yet to find a way to install a CA Certificate programmatically - from within the app.
However, it is possible to install a certificate via the Web browser in Android. Thus, the solution (for now) is to:
Launch an intent to open a URL in the Web browser that goes directly to the CA certificate.
This works but there are some challenges:
The user must name the certificate. This is a challenge because we are adding the WiFi configuration programmitically. Thus we have to ask the user to give the certificate the same name.
The user must enter a password. If they don't have a password set up, the user will create one and enter it twice. If they have set a security password, the user will have to remember that same password and enter it.
Assuming the user successfully completes these steps, he is left hanging in the browser.
This leads to a few questions:
From my app, is there a way to force a name for the certificate that the user installs via the browser?
From my app, is there any way to know when the certificate installation has completed and then give focus back to my app?
Just let me know if you need any clarification.
You cannot install it directly since non-system applications don't have access to the key store. On ICS, there is an API for this KeyChain.createInstallIntent() that would launch a system dialog asking the user whether they want to install the certificate. On pre-ICS you can achieve the same thing by launching the install intent using the component name directly (this may or may not work on all devices though). Going through the browser is actually a roundabout way of doing the same thing.
As for your questions:
you cannot specify/force a name. Why do you care about the actual name?
Not really through the browser. If you use the system intent, you can return to your activity and will get a callback if you use startActivityForResult().
Update: Android 4.3 has WifiEnterpriseConfig which both creates a profile and installs keys and certificates in the system credential store. You only need the CHANGE_WIFI_STATE permission.
I am currently looking to solve the same issues. The best thing that I have found is KeyChain.choosePrivateKeyAlias() allowing the user to select which certificate to use for the SSL. From there you can retrieve the Alias name and pass it to the enterprise wifi configuration.
I'm looking for the same... as for your question, #Nikolay:
you cannot specify/force a name. Why do you care about the actual name?
The EAP profile needs the name of the already-installed-CA. If you look at the example in part 4, you can specify:
final String ENTERPRISE_CA_CERT = "";
In the example, the profile does not use the CA name, but that could be the case for other EAP profiles.
How do you use a .p12 certificate on Android?
I tried adding it at Menu/Settings/Location and security.
When I do this the certificate disappears from the SD card but when I go to the website that needs the .p12-certificate I just get a connection error.
The certificate, password, and URL are all good. I triple checked them.
I am not the only one with this issue, right? My colleagues with iPad / iPhone can use it easily but on Android it's a pain in the ass. They just double click on the .p12 file, give certificate password, and they are set.
How come it's not like this on Android?
Make sure you copy the certificates to root of SD card.
Click on Settings->Location & Security/Security->(Install from SD card(scroll down -> Credential Storage).
Select the certificate.
Things have changed since the last answer in 2011. I'm doing this from an emulated Pixel 2 running Android R (version 10).
It's now possible to install the certificate from a download or from a google drive. The difference is trivial.
Installation
Settings->Security->Advanced->Encryption & credentials->Install a certificate
Here you'll select the type of certificate you want to install. In my case it's a CA certificate (Certificate Authority) which I use to test some systems.
At this point you'll get a warning screen. It's kind of important as the entire basis of your device's security relies on the integrity of your certificates. If this is messed up, your device will have to be wiped to be secure again.
But I assume you know what you're doing.
tap Install anyway.
You're taken to a screen with files in your Downloads directory. You can scroll around to see the possibilities. You can also click on the hamburger icon in the top left to reveal more options, such as listing your google drive account.
Tap on the certificate file you want to install
You may see a popup dialog will asking you for the password to extract certificates. Hopefully the entity that supplied you with the certificate also gave you a password.
Type in the password and cross your fingers.
If all is well you'll get a Toast saying that the certificate was installed.
Verification
You can view the certificates you have installed by via the following path:
Settings->Security->Advanced->Encryption & credentials->Trusted credentials and then clicking the USER tab.
Removing a certificate is as simple as tapping on it and then tapping the Remove button.
To import the certificate, all I had to do was to use the My Files app (or any app allowing to browse your filesystem), and then click on the p12 file. Once the certificate was imported, the apps requiring it for log-in prompted the option of using it.