how to use clientcertificate to access https websites under android
I try to access a company website through https. There's need for client certificate authentication, but I don't know how I can provide this in Firefox 4.0 for Android. The certificates has already been imported under Android. The error I get is: ssl_error_handshake_failure_alert. How can I set the certificate to be used for this website?
Krejt Përgjigjet (17)
I have found how to use Client Certificates with Android OS:
1. Install and run at least once Mozilla Firefox or Mozilla Fennec for Android .
2. Please download from your Android phone to the PC: - Mozilla Firefox:
/data/data/org.mozilla.firefox/files/mozilla/<random number>.default/cert9.db
/data/data/org.mozilla.firefox/files/mozilla/<random number>.default/key4.db
- Mozilla Fennec:
/data/data/org.mozilla.fennec/files/mozilla/<random number>.default/cert9.db
/data/data/org.mozilla.fennec/files/mozilla/<random number>.default/key4.db
3. Move them to a MS Windows directory (Ex.: C:\keys )
4. Download the package NSS_Tools_x86_from_NSS_3.12.7 Tools.zip and extract it into a directory (Ex.: c:\nss-3_12_7)
5. Run command prompt ( CMD.EXE ) and change the directory where you have extracted NSS_Tools_x86_from_NSS_3.12.7 Tools.zip(Ex.: "cd c:\nss-3_12_7")
6. Executhe the command:
pk12util.exe -i <PKCS12 filename containing your client certificate> -d sql:<directory from step 3> ( Ex.: c:\nss-3_12_7>pk12util.exe -i c:\epay.p12 -d sql:C:\keys ) Enter password for PKCS12 file: <your PKCS12 password> pk12util.exe: PKCS12 IMPORT SUCCESSFUL
If you have more client certificates - do the same command again.
7. Move the "cert9.db" and "key4.db" files back to your Android phone. If necessary fix the ownership and access rights.
8. Restart Mozilla Firefox or Mozilla Fennec for Android.
9. If you access a web site that needs client certificate authentication the browser will ask you to choose one of the imported client certificates and will you them
Final words:
Now even on Android platform it is possible to use client certificates for SSL authentication and signing. If there was an add-on or a setting to manage them it would be much easier. I hope that Fennec developer team will fix this issue in the near future.
It is also possible to use PKCS#11 library for accessing secure signature devices plugged into the microSD slot and this will make possible to use Qualified digital certificates with Android OS.
this only works on rooted phones. For non-root users there are 2 options:
- create a special APK with FF/fennec which generates a new profile with cert9.db and key4.db . I do not know how to do this. I'd like though
- or: mozilla adds cert management to ff/fennec
The files:
......files/mozilla/<random number>.default/cert9.db
......files/mozilla/<random number>.default/key4.db
dont exist for me. I'll take oernii's word that its because it's not a rooted phone.
Is there really no other way for me to get Firefox to use client-side certificate for authentication? I can't be giving those kind of instructions to people who want to access services on their android phones.
Ndryshuar
Sorry, there's no easy way to add client certificates to Firefox for mobile. We'd like to add this feature to a future version of the browser. For details, see: https://bugzilla.mozilla.org/show_bug.cgi?id=436076
Until then, maybe someone can write an add-on to provide this feature.
Here is another completely different approach but it does not involve Mozilla browser - just another temporary solution.
Ndryshuar
@cbrowne: vazmuten's original reply does work for non-rooted phones. You have to connect the device to your PC via the USB cable and mount the SD card in order to see them. I searched using several Android file managers (OI File Manager, ES File Explorer, etc.) but couldn't find them until I browsed the card in Windows. It's possible that there's some sort of attribute that hides part of this path from on-device file managers (such as a hidden flag or UNIX permission that prevents reading).
I should also point out that the paths I saw were not exactly what vazmuten reported. I'm seeing:
\Android\data\org.mozilla.firefox\files\mozilla\<random>.default
Note the first "Android" rather than two "data" directories.
Full disclosure: I'm using a stock Motorola Droid running Android 2.2.2. Latest Firefox Mobile (4.0 RC) with the "move to SD card" flag in the OS active. I use a private CA for authenticating with the admin portions of my sites and issue client certs for each device/machine I use to connect. I was able to get Firefox Mobile to successfully connect to a site that required client certs after following this procedure.
I'm glad to see at least one Android browser is supporting client certs. I've tried lots of other solutions, and so far Firefox is the only one that works. It definitely needs a built-in UI; while this procedure isn't necessarily all that hard, it's not something most users or businesses are going to go through, especially if they have a lot of devices to configure.
hey there i have my galaxy s2 rooted but i cant see mozilla\<random>.default
i just see downloads folder not data/org.mozilla.firefox/files/mozilla/<random number>.default/cert9.db what can be?
thanks
I have created an addon for firefox mobile which allows you to import CA and client certificate. https://addons.mozilla.org/en-US/mobile/addon/cert-manager/
no ROOT required
Ndryshuar
Hi,
I am having trouble installing the certificate on 2.3.3 using the cert managar 1.3 add-on for firefox. The browse options i get are "gallery/songs/..." and it doesn't locate the .p12 file i placed in there. I don't have a way to change the browse-folder either. This is on an HTC flyer tablet running 2.3.3,.
It would be great if you can give me any pointers to what i am missing.
Thanks. -venkat
Looks like oernii developed this on the Maemo/Meego system. There is no default file picker on Android. For Android there needs to be a textbox that allows typing of the full path to the file.
Hi, the addon was primarily developed for android and is reported functioning by me and others. For file-selection please use total commander or astro. I'll update the description on the addon as I wasn't aware that default android wont allow you to pick any file.
Generally, file managers are third-party applications in Android. Some devices (like my DROID 3) have "built-in" file managers which are actually supplied by the device manufacturer (in this case, Motorola). Search the Market for "file manager" and you'll get a bunch.
I use OI File Manager and ES File Explorer, both of which seem to work with this plugin. (Unfortunately, some file managers work better than others in certain situations, so sadly it's hard to get away using only one.)
Thanks!. Once i installed a file manager (ES explorer), things worked fine and i was able to load the cert on to the browser and access secure website.
Hi, I have questions.
By using the CertManagar1.3, I was able to successfully import user certificate to firefox and access secure website. ( Thanks, oernii :) )
However, once I turn off my devices(Android2.3.3,GalaxyTab and Android4.0.1,GalaxyNexus) , then ssl_error_handshake_failure_alert occurred and I can't access the same secure website though I choose the same certificate.
This problem is solved by re-importing the same certificate.
What causes this problem? And, How can I access secure website after turn off my device, by not re-importing?
Ndryshuar
hi, could you please open a issue on the bug tracker? https://github.com/oernii/cert-manager/issues/
O.K. I submitted the issue. Thanks for your reply.
I am not getting prompted for my uploaded cert when I visit a pki secured URL. Any ideas?