Importing HTTPS cert on Android 11

4k3or3et · September 26, 2021, 9:08am

Hi All,

i am having issue with installing HTTPS cert on my Android 11 device.

I have created cert using command:

openssl req -x509 -nodes -days 356 -newkey rsa:2048 -keyout cert.key -out cert.crt -config cert.conf

with config file:

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
string_mask         = utf8only
 
[req_distinguished_name]
C                   = XX
ST                  = XXX
L                   = XXX
O                   = XXXX
OU                  = XXXXX
CN                  = XXXXXX
 
[v3_req]
keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth
subjectAltName      = @alt_names
 
[alt_names]
DNS.1               = XXXXXX
IP.1                = XXX.XXX.XXX.XXX

Where is X is replacing actual data.

Then I exported cert by using:

openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.crt

The exported cert works fine on Windows. But when I try to Install it on Android I get:

"Can't install certificate
This File can't be used as a CA Certificate"

Does anyone have any clue how to import HTTPS cert from OpenWRT to Android 11 device?

Thanks.

4k3or3et · September 29, 2021, 6:39pm

Anyone can help?

jring · September 29, 2021, 10:27pm

Hi,

there are two possible errors:

you are trying to import a pkcs12 container with the private key into the android truststore for CA certs. That is not the correct place for a private key (only for certificates with the pubkey inside) and pkcs12 is probably the wrong format to try as it usually contains the private key.
Try to import cert.crt on android and see if that works.
the more probable reason is that your certificate is a self-signed server certificate and not a CA cert which is what android likely expects to import into its trust store... If that is the case, you need to create your own CA with openssl and import its CA root cert into android. Here is a guide... you can leave out the intermediate CA if you want to...
https://jamielinux.com/docs/openssl-certificate-authority/

Joachim

mk24 · September 30, 2021, 12:55am

Yes do not place private keys on the user device. This shows a fundamental misunderstanding of how certificates work. The private key should exist in only one place, the web server.

When you initiate a SSL connection, the browser automatically gets the public part of the certificate. It is more secure to make an exception for this one certificate on one browser than to install a trusted CA. If someone obtains the private key to that CA, they can man-in-the-middle the entire Internet on you.

So if you do go the CA route it would not be unreasonable to make it a single use to sign one web server certificate then destroy the CA private key. If you install any unknown third party CA, Android will throw a constant big warning that your device is potentially insecure.

4k3or3et · September 30, 2021, 2:31pm

Guys,

thanks for pointing that installing cert with private key is bad idea.

I was following OpentWRT documentation:

https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings

where we have stated:

so I did it that way. Are you saying it is wrong?

I just tried to install cert.crt on windows without converting it .pfx file and browser still accepts it. I don't understand then why OpenWRT is pointing to export .crt file to .pfx with private key included.

Anyway, I have tried to install cert.crt on Android device but i get:

"Private key required to install certificate"

I would really like to install OpenWRT certificate from my router on my Android device. Any other clues guys?

ohViep6h · July 31, 2023, 2:02pm

The issue here is android which doesn't support newer PKCS12 Format: https://stackoverflow.com/a/73512646/7418348