experiences with (working :-) ) self-signed ssl certificates

  • hi community,

    this are my experiences with self-signed certificates import to android with cadroid.

    my first try with a self-signed ssl certificate was with an ip address as cn instead of a fqdn.
    i used the information of the following urls.
    creating a self-signed ssl certificate (german language):

    analysing a ssl certificate:

    within my first tries i recognized that i have to modify my openssl configuration.
    you need the following in a proper section of your openssl.cnf
    without this android will not accept your certificate.

    my first self-signed ssl certificate with an ip address as cn worked on my

    • oneplus one
    • nvidia shield tablet

    i got a replacement of the nvidia shield tablet. when i tried to import my first ssl certificate i got an error message.

    in the discussion with bitfire i got the information that using an ip address as cn is not a good idea. information about this can be found:
    http://tools.ietf.org/html/rfc6125#section-1.7.2 ("Identifiers other
    than fully qualified DNS domain names").

    i was not able to analyse in detail why this happen on my nvidia device. so i decided to give it a try with a fqdn as cn.

    i also decided to use a complete new openssl.cnf made for my needs. instructions how to do this and more can be found here:
    you will also see where to place the basicConstraints parameter in your conf file.

    the only thing i have done different compared to that instruction was this command:
    openssl ca -name ServerCA -in apache.req.pem -out apache.cert.pem
    that did not work so i signed my certificate with my rootca instead.

    after creating the new self-signed ssl certificate i reconfigured my android devices. all is working now as it should 🙂