experiences with (working :-) ) self-signed ssl certificates



  • hi community,

    this are my experiences with self-signed certificates import to android with cadroid.

    my first try with a self-signed ssl certificate was with an ip address as cn instead of a fqdn.
    i used the information of the following urls.
    creating a self-signed ssl certificate (german language):
    https://thomas-leister.de/internet/eine-eigene-openssl-ca-erstellen-und-zertifikate-ausstellen/

    analysing a ssl certificate:
    http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority

    within my first tries i recognized that i have to modify my openssl configuration.
    you need the following in a proper section of your openssl.cnf
    basicConstraints=CA:TRUE
    without this android will not accept your certificate.

    my first self-signed ssl certificate with an ip address as cn worked on my

    • oneplus one
    • nvidia shield tablet

    i got a replacement of the nvidia shield tablet. when i tried to import my first ssl certificate i got an error message.

    in the discussion with bitfire i got the information that using an ip address as cn is not a good idea. information about this can be found:
    http://stackoverflow.com/a/11710762
    http://tools.ietf.org/html/rfc6125#section-1.7.2 ("Identifiers other
    than fully qualified DNS domain names").

    i was not able to analyse in detail why this happen on my nvidia device. so i decided to give it a try with a fqdn as cn.

    i also decided to use a complete new openssl.cnf made for my needs. instructions how to do this and more can be found here:
    http://fra.nksteidl.de/Erinnerungen/OpenSSL.php
    you will also see where to place the basicConstraints parameter in your conf file.

    the only thing i have done different compared to that instruction was this command:
    openssl ca -name ServerCA -in apache.req.pem -out apache.cert.pem
    that did not work so i signed my certificate with my rootca instead.

    after creating the new self-signed ssl certificate i reconfigured my android devices. all is working now as it should :-)

    enjoy

    --mansur


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.