HTTPS with self signed certificate on Android

Introduction

If you have an own server and want to comunicate with it by use of HTTPS (SSL - encrypted), you need a certificate. You can get one from an offcial certification authority (CA) or you create a self signed certificate. The use of a self signed certificate normally generates a warning (certificate validation failed - issuer certificate is unknown) as shown at the following browser example, which you can accept manually if you trust it.

Browser Example

But, such a similiar interaction is not longer possible for an official Google Playstore app since Google has changed the sercurity guidlines that does not allow to simply pass-through the connection in case of such an issue. It is OK, because that increases the security, and we have to use another approach to get a secure encrypted communication channel from the app to the server. Following guide describes the two main steps which are neded for using a self signed certificate to establish an ssl connection between a server and apps on a android devices.

1st Step: Generate and implement the self signed certificate on server

Following steps (commandline at i.e. Linux) are necesarry to generate a self signed certificate by use of openssl:

  1. generate a directory on which the key and certificate will be generated and stored.
    • mkdir /my_server_certs
  2. enter the directory
    • cd /my_server_certs
  3. generate a private key which we call "my_server"
    • openssl genrsa -out my_server.key 1024
  4. generate ASCII (Base64) -encoded certificate and store in pem file by use of the private key
    • openssl req -x509 -new -nodes -key my_server.key -days 3650 -out my_server.pem
    • following information will be requested, but only the server name is important and all other questions could also be answered by hitting the enter key only :
      • Country Name: not important (2 letter code - i.e DE for Germany)
      • State or Province Name: not important (i.e. Bavaria)
      • Locality Name: not important (i.e. Munich)
      • Orgnaisation Name: not important (i.e. own)
      • Organisation Unit Name: not important (i.e. server)
      • Common/Server Name: that's the only important point which has to fit to the real server's name - see virtual host config example for Apache server below (i.e. my_server )
      • Email Address: not important (i.e. myName@my_server)
  5. generate "der"-encoded certificate by use of pem file
    • openssl x509 -in my_server.pem -outform der -out my_server.der.crt

After privat key and certification generation the server has to be configured for ssl. Following steps show the required Apache server configuration for ssl.

  1. Enable SSL with
    • SSLEngine on
  2. set the path to the private key file
    • SSLCertificateKeyFile /my_server_certs/my_server.key
  3. make the certificate known to the server
    • SSLCertificateFile /my_server_certs/my_server.pem


Example of Apache Virtual Host File

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerAdmin webmaster@localhost
     DocumentRoot /var/www/public
     ServerName my_server 

     <Directory /var/www/public>
        Options FollowSymLinks MultiViews
        AllowOverride all
        Order deny,allow
        SSLRequireSSL
     </Directory>

     SSLEngine on
     SSLCertificateFile /my_server_certs/my_server.pem
     SSLCertificateKeyFile /my_server_certs/my_server.key
</VirtualHost>

The *:443 enables the server to listen for all https requests at standard TCP port 443. It's important to define a server name which is done here by the line ServerName my_server.

2nd Step: Install the self signed certificate on android devices

After we've configuered our server for ssl, lets enable our Android device to trust the connection to our server by importing the server certificate. This can be done by following steps on Android 6.x :

  1. Copy the certificate my_server.der.crt to the device (SD card).
  2. go to "Settings" -> "Lock screen and security" -> "Other security settings" -> "Install from device storage" and select the certificate file which should be automatically shown here.
  3. press "done" and on the follwoing dialog, at which you can enter a name and select for what it be used, you can simply press "OK" which installs the certificate.

To view or uninstall the certificate go to "Settings" -> "Lock screen and security" -> "Other security settings"-> "View security certificates" and select the "USER" tab.

Removal of all user certificates can also be achieved by option "Clear Credentials".

Hint:

  • If the list of selectable certificates still contain old and already deleted ones, it is anywhere still available on internal storage (SD card). Check the recycle bin also, if there is one enabled on your device (i.e. ES Explorer has one).