experiences with (working :-) ) self-signed ssl certificates
this are my experiences with self-signed certificates import to android with cadroid.
my first try with a self-signed ssl certificate was with an ip address as cn instead of a fqdn.
i used the information of the following urls.
creating a self-signed ssl certificate (german language):
within my first tries i recognized that i have to modify my openssl configuration.
you need the following in a proper section of your openssl.cnf
without this android will not accept your certificate.
my first self-signed ssl certificate with an ip address as cn worked on my
- oneplus one
- nvidia shield tablet
i got a replacement of the nvidia shield tablet. when i tried to import my first ssl certificate i got an error message.
in the discussion with bitfire i got the information that using an ip address as cn is not a good idea. information about this can be found:
http://tools.ietf.org/html/rfc6125#section-1.7.2 ("Identifiers other
than fully qualified DNS domain names").
i was not able to analyse in detail why this happen on my nvidia device. so i decided to give it a try with a fqdn as cn.
i also decided to use a complete new openssl.cnf made for my needs. instructions how to do this and more can be found here:
you will also see where to place the basicConstraints parameter in your conf file.
the only thing i have done different compared to that instruction was this command:
openssl ca -name ServerCA -in apache.req.pem -out apache.cert.pem
that did not work so i signed my certificate with my rootca instead.
after creating the new self-signed ssl certificate i reconfigured my android devices. all is working now as it should :-)