Android Client Certificate Support

Green Screens Terminal Mobile app fully supports client-side certificates. However, one might encounter some certificate problems. This blog is here to help you out to handle such cases.

Self-signed Certificates Misconception

First, we need to solve one misconception. Often, we saw questions as "Is self-signed certificate supported?".  We need to clear out that certificate is certificate no matter is it self-signed or not. There is no difference. If application has support for client certificates, then it will work with any type.

So, why people ask such a question?

The Certificate to be created, has to be signed with some other certificate (signing certificates). Basically, we can use cert to sign a cert, to sign another cert and so on. The most important is the first one (root certificate) which is always self-signed, and it does not differ than the certificate you will make with some tool. Only difference that exist is not technical one.

All OS-es including Android came with preinstalled root certificates (self-signed also) and they are installed on the system inside a so-called trusted certificate store. They're called official certificates distributed with OS.

When server use certificate generated with one of certificate providers, you should be fine as Android already has signer certificate inside.

When you try to use a self-signed server certificate, it is almost 100% sure that the signing certificate used to sign the server certificate is not installed in the OS trust store. To make your server certificate valid, the first step is to install a signer certificate into the OS trust store to allow Android Security system to validate incoming server data.

This will work as long as the server use a server-only certificate (as most secured websites does).

However, when a server is configured to ask for a client certificate as a mean of safe access authorization, access to the resource will be blocked unless you have a client certificate installed in Android KeyStore (different one than trust store).

Client certificate is usually distributed in PKCS12 file format. It is an encrypted binary file format which contains your private and public key, your client certificate and if admins know what they are doing, this file will also contain one or more additional certificates used for signing your client certificate.

Unfortunately, many does not know how important it is to include signing certs into PKCS12 file and if certs are not included, Android security system might block access to network resource.

Why?

When you import PKCS12 into AndroidKeyStore, and try to establish a secure network connection, the underlying network does two things... load client keys and load certificates inside system default certificate trust verificator.

A Certificate trust verificator might be populated with certificates from PKCS12 file or from the system trust store, or both. By default, it is loaded only from OS trust store. If there is no self-signed certificate in the trust store or application does not load self-signed certs from PKCS12 cert chain, access to the remote resource will be blocked.

Solution

Load signer certificate (*.cer) file in Android trust store simply by tapping on certificate on your disk. Then, load PKCS12 file to import client key.

Green Screens Terminal Mobile has two operational modes: strong and weak.

When strong mode is used (default) - app will load Android Trust store into Certificate trust verificator and initialize secure network asking you to select user certificate.

When weak mode is used - app will create custom certificate trust verificator allowing all server side certificates without verification and initialize secure network asking you to select user certificate.

Weak mode will still encrypt network, but will be unable to validate server certificate and protect you from invalid ones. This is not recommended, but can be used to test connection and certificate setup.

To enable weak mode, got to Settings -> Security -> disable Certificate Verification.

If there are still connection errors, there is a great chance that the signer certificate is expired, or does not match. It might happen that wrong signer certificate is attached to PKCS12 or wrong (old) trust certificate is loaded into the system.

There is one more use case when certificates do not work...

When there is a chain of certificates so-called root - intermediate certificates where intermediate certificate is not added to pkcs12 file or order of certificates are wrong. When adding certificate chain to the store, it is important that they are saved in order from the intermediate certificate to the root certificate. Some servers might be configured wrong which might cause issues, so we added custom certificate validation inside our mobile app to auto reorder and fix certification issues. However, this will work only if all required certificates are installed in Android certificate store.

More about Android Certificate store one can find here.

We hope this helps a little to clear some questions.