Import/Install SSL-certificate without CA-flag

Question

Our team has the following problem:

We are developing a client-application for android and iOS using Unity + UniWebview + HTML. This app includes Ajax-requests to some servers via jQuery. For testing purposes we're using a testing server instead of the live server. This testing server uses a self-signed SSL-certificate.
NOTE: We have no access to that server, so changing the SSL-certificate is likely not an option.

When testing the .htm-file locally with the desktop browser we just did import that SSL-certificate to Chrome and Mozilla Firefox. With this approach our HTML-code worked as expected.



Now we wanted to test it in our UniWebview environment on an android device. Intially the app didn't work. As we tested the .htm-file in the mobile chrome browser, the requests were blocked because of the not trusted SSL-certificate. So we went looking for a solution on how to import the certificate to Android.



The most common solution we found, was exporting the certificate in chrome or firefox and copying it to the SD-card drive of the device. Then: Settings > Security > Install from USB-Storage, then select the certificate and install it. After the installation we got the message of a successful installation. But when looking for it in the list of user certificates, it doesn't show up. After testing our script again it also still doesn't work. We gave this solution a couple of tries by experimenting with different formats and encodings, but everytime we got the same result.



The second try was using the application CAdroid for importing SSL-certificates to Android. But there we also encountered a problem. At step 4 (checking of the certificate) we got an errormessage that the basic constraints are missing. Therefore there is no CA-flag set, therefore the CA-flag isn't true.



The third try was using the Android-emulator of the Android-SDK. This time we got the same problem as in our first try, when installing the certificate directly to Android.



TL;DR

So my quesiton: Is it possible to install this self-signed certificate to Android without having a set CA-flag?

If not, is it possible to modify that existing certificate, so it can be installed?

NOTE: Creating a new certificate is NOT a real option.

NOTE: We only have the certificate-files, we exported with chrome and firefox

I found this post: self-signed certificate install claims success, but android acts as if cert isn't there . In the comments there is some discussion about modfying an exisiting certificate, although I am not sure if this is an option for us.



Testing device:
Samsung GT-N8010 (Galaxy Note 10.1)
Android 4.4.2



Best Regards


MMauerer | Sources

Answer


Is it possible to install this self-signed certificate to Android without having a set CA-flag?




Android uses OpenSSL (or the fork BoringSSL in later versions) as the underlying SSL stack. OpenSSL will not accept a self-signed certificate unless the CA flag is true, because even a self-signed certificate must have the correct flags so that it can sign itself (i.e. CA flag). So even if you would be able to install the certificate it will not be used as the trust anchor for validation, i.e. the validation will fail.




If not, is it possible to modify that existing certificate, so it can be installed?
NOTE: Creating a new certificate is NOT a real option.




No, you cannot modify an existing certificate. You could probably re-create the certificate if you have access to the original certificate and the private key.


Steffen Ullrich | Sources

Q & A

Create a profile to disable other profiles
Flash a ROM without using recovery mode
The Tab Switcher in Google Chrome on Moto G(3rd Gen) is stuck in accessibility mode
Which version of Xposed should I use for Nexus 5X?
What does "Can't send message on card 1, error 21" mean?
Can't charge/power on Nook HD+
After reinstalling Android from stock images, why do updates complain about modified /system files?
S2 with working Lollipop Custom ROM, stuck on boot , won't reinstall ROM in CWM
Change android Jelly Bean google account with no data loss
How do I safely "copy" my gpg keys from kgpg on Linux to an Android app like openkeychain?
How to edit hidden settings from Developer options?
Is there any Netcat like application available in Android OS by default, like most of the Linux systems?
Can I use Google Play Services geofences to get location profiles without a service running all the time?
What is the standard voltage and current levels for an android battery?
How to enable adb in bootloader mode?
Can't reboot to recovery mode
Does blocking app notifications stop app from accessing internet?
How to use speech-to-text offline?
Google Play Store does not open
How to enable developer mode to install apps via ADB for this cheap Android Watch?

Topics

2D Engines   3D Engines   9-Patch   Action Bars   Activities   ADB   Advertisements   Analytics   Animations   ANR   AOP   API   APK   APT   Architecture   Audio   Autocomplete   Background Processing   Backward Compatibility   Badges   Bar Codes   Benchmarking   Bitmaps   Bluetooth   Blur Effects   Bread Crumbs   BRMS   Browser Extensions   Build Systems   Bundles   Buttons   Caching   Camera   Canvas   Cards   Carousels   Changelog   Checkboxes   Cloud Storages   Color Analysis   Color Pickers   Colors   Comet/Push   Compass Sensors   Conferences   Content Providers   Continuous Integration   Crash Reports   Credit Cards   Credits   CSV   Curl/Flip   Data Binding   Data Generators   Data Structures   Database   Database Browsers   Date &   Debugging   Decompilers   Deep Links   Dependency Injections   Design   Design Patterns   Dex   Dialogs   Distributed Computing   Distribution Platforms   Download Managers   Drawables   Emoji   Emulators   EPUB   Equalizers &   Event Buses   Exception Handling   Face Recognition   Feedback &   File System   File/Directory   Fingerprint   Floating Action   Fonts   Forms   Fragments   FRP   FSM   Functional Programming   Gamepads   Games   Geocaching   Gestures   GIF   Glow Pad   Gradle Plugins   Graphics   Grid Views   Highlighting   HTML   HTTP Mocking   Icons   IDE   IDE Plugins   Image Croppers   Image Loaders   Image Pickers   Image Processing   Image Views   Instrumentation   Intents   Job Schedulers   JSON   Keyboard   Kotlin   Layouts   Library Demos   List View   List Views   Localization   Location   Lock Patterns   Logcat   Logging   Mails   Maps   Markdown   Mathematics   Maven Plugins   MBaaS   Media   Menus   Messaging   MIME   Mobile Web   Native Image   Navigation   NDK   Networking   NFC   NoSQL   Number Pickers   OAuth   Object Mocking   OCR Engines   OpenGL   ORM   Other Pickers   Parallax List   Parcelables   Particle Systems   Password Inputs   PDF   Permissions   Physics Engines   Platforms   Plugin Frameworks   Preferences   Progress Indicators   ProGuard   Properties   Protocol Buffer   Pull To   Purchases   Push/Pull   QR Codes   Quick Return   Radio Buttons   Range Bars   Ratings   Recycler Views   Resources   REST   Ripple Effects   RSS   Screenshots   Scripting   Scroll Views   SDK   Search Inputs   Security   Sensors   Services   Showcase Views   Signatures   Sliding Panels   Snackbars   SOAP   Social Networks   Spannable   Spinners   Splash Screens   SSH   Static Analysis   Status Bars   Styling   SVG   System   Tags   Task Managers   TDD &   Template Engines   Testing   Testing Tools   Text Formatting   Text Views   Text Watchers   Text-to   Toasts   Toolkits For   Tools   Tooltips   Trainings   TV   Twitter   Updaters   USB   User Stories   Utils   Validation   Video   View Adapters   View Pagers   Views   Watch Face   Wearable Data   Wearables   Weather   Web Tools   Web Views   WebRTC   WebSockets   Wheel Widgets   Wi-Fi   Widgets   Windows   Wizards   XML   XMPP   YAML   ZIP Codes