Configure CA Certificate to be installed in Android

Question

I have a custom SSL Root CA for the web and I want to be able to install it on android devices. If I download it it says "No certificate to install". How can I configure the certificate to work using openSSL or another tool? I have done some googling and some sites say that I should covert it to a .pfx but this involves giving the user my private key and ruining the security.

Answer 1

If you want to add your certificate to Android KeyChain (it is possible since ICS) you need to provide X509Certificate (.crt, .pem, etc) or PKCS12 (.pfx) file.

You have to call install intent from KeyChain class.

According to documentation: http://developer.android.com/reference/android/security/KeyChain.html#createInstallIntent()

Returns an Intent that can be used for credential installation. The intent may be used without any extras, in which case the user will be able to install credentials from their own source.

Alternatively, EXTRA_CERTIFICATE or EXTRA_PKCS12 maybe used to specify the bytes of an X.509 certificate or a PKCS#12 key store for installation. These extras may be combined with EXTRA_NAME to provide a default alias name for credentials being installed.

When used with startActivityForResult(Intent, int), RESULT_OK will be returned if a credential was successfully installed, otherwise RESULT_CANCELED will be returned.

However

In my opinion what you really want to do is to include your X509Certificate along with your application so you can estabilish secure SSL connection without user knowledge which will work on all devices.

In order to do that, you will have to create put your X509Certificate in application (as PEM string, .crt file .der file or inside BouncyCastle KeyStore ) and initialize SSLContext with it. After you do that you can get SSLSocketFactory which you can use with you http client.

More information about that: https://developer.android.com/training/articles/security-ssl.html