Trusting Android Certificates, Part Duex

This post is a follow up to CrazyBob’s great post on the same subject. A big thanks to him for posting it as it helped me and my team get to our final result of getting Android to communicate with a custom CA (Thawte in this case).

The Original Problem

In short, I was getting the dreaded error:

SSLException: Not trusted server certificate

This happened in Android when attempting to contact one of our servers in Germany. The problem is that the server is signed with a Thawte certificate and unfortunately Thawte is not in the list of known CA‘s in Android source code (yes, there is a list).

Crazy Bob’s post got us down the correct path, however we ran into an issue where the app would start throwing another error:

javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

Great. After some investigation we determined that Crazy Bob’s post was using a self signed certificate for their server. Therefore, when he generated his .pem file from this command:

echo | openssl s_client -connect ${MY_SERVER}:443 2>&1 | \  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.pem

This code grabbed the public certificate of the server. Being that it was self signed, this is exactly what they wanted. However, if you did NOT self sign your cert, you’ll want to grab the root cert of your CA and then work with that instead. Therefore, if Thawte signed your cert, you’ll want Thawtes Root CA cert to do your signing in your keystore.

How to Find your Root Cert

Please note, your milage may vary, but here’s how we found it. We ran the following command:

openssl s_client -connect api.yourserver.de:443

In the output we saw the following:

CN=thawte Primary Root CA

We then were able to look up the Root CA certificate on Thawtes site via their Root Certificates page. We grabbed the first one as the other two Root CA’s (#4 and #5) were invalid and/or out of date. Here’s the link to the one we used.

Generating the Keystore

Using this CA, we generated the same keystore that Crazy Bob did, with this command:

 

export CLASSPATH=bcprov-jdk16-146.jar
CERTSTORE=res/raw/mystore.bks
if [ -a $CERTSTORE ]; then
    rm $CERTSTORE || exit 1
fi
keytool \
      -import \
      -v \
      -trustcacerts \
      -alias 0 \
      -file <(openssl x509 -in thawte_Primary_Root_CA.pem) \
      -keystore $CERTSTORE \
      -storetype BKS \
      -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
      -providerpath /usr/share/java/bcprov.jar \
      -storepass ez24get

After this, I now had the “mystore.bks” file and followed Crazy Bob’s instructions again and used that to build my trust store as shown in step three of Crazy Bob’s post here.

Done

After all that work, I can now talk to my server without compromising security as I’m not accepting all ssl certs out of the box, but only the ones that I approve of. Please note, if you’re dealing with many different servers with different CA authorities then you may need to import many different pem files into the keystore.

Android Dev Digest

Get the best Android Developer posts delivered weekly to your inbox.

Don't worry, I wont spam (I hate that stuff too).

Book 15 Minutes

  • Noone

    This post save my ass!!!

  • herm

    It’s still not working for me – below Android 3, that is.  On  my phone, running 4.0.3 , it works fine – no trusted or peer certificate errors; it just works.

    BUT in my emulator running 2.3, I get “javax.net.ssl.SSLPeerUnverifiedException: No peer certificate.” Urrgh…I read crazy Bob’s post and Antoine Hauck’s post (http://blog.antoine.li/2010/10/22/android-trusting-ssl-certificates/).  My server is also using thawte and using the root certificate.Any ideas??!! Why would this work in 3 and 4 but not in 2 (and I assume 1)?

  • Longchamp bags

    Longchamp bags are actually built with the help of rates Italian leathers, pebbly clothing, not to mention tarnish-resistant mining harvests. It includes some The language kingdom “Longchamp Le Pliage Handbag” laudatory designate. Welcome towards Longchamp Sale, Pay for least costly Longchamp retailer because of a lot of our buy.

    Even if young girls, and / or develop partner, perhaps even aging seniors lovely women, take typically the Longchamp bags, won’t look especially urgent. Longchamp personally purses the entire world widely used Brand designate pouches from Longchamp Le Pliage Travel and leisure. Nice through Longchamp Sale, choise your pouch!

  • Marc Jacobs bags

    It is clear the fact that Marc Jacobs absolutely nothing problematic worldwide, for those who form everyone thought process to carry out it all, you can expect to without doubt carry out an individual’s last part. The fact that is short for that will factor. In order to meant for trainees for example individuals, we must contain a superior approach Marc Jacobs bags when it comes to catastrophe. In front of utilizing hardships together with breakdowns, Marc Jacobs handbags always keep scalps away but not toss in the towel. Moreover, we must come up with comprehensive research, thouth formidable Marc by  Marc Jacobs should help individuals beat the difficulties, isn’t meant for particular person Marc by  Marc Jacobs handbags who’s got hardly any research. .

  • scottyab

    great post, It’s also worth noting that “no peer certificate” can also occur if the web server/service hasn’t been configured to include the intermediate certs. You’ll see error 20 when you run “openssl s_client -connect api.yourserver.de:443″