More about Android and PKI Certificates

I have been working with DoD PKI certificates for some time. On other mobile devices, there is a requirement for the DoD Root Certificates to be installed on the phone. These certificates are presented as .CER files, and the devices install them locally as trusted root certificates. The server that the device is trying to connect to then has a private SSL certificate which chains back up to the root that the device trusts. The device and server then create an SSL connection over port 443.

On Android devices, there is no capability to allow the installation of public .CER files into the local trusted certificate store. You can install a personal/private certificate (PCKS #12/.PFX), but this does not satisfy the situation described above where the connection is looking to match the public certificate root installed on the device with the private certificate installed on the server (and this certifitcate chains up to the root).

At this point, Android does not seem to require the public certificate to be installed on the device for Active Sync to work. Hopefully, that will change in the future.


About Tim Smeltzer
I am a husband, father, and technologist. While I am very much interested in almost all technology, my current area of specialty is secure mobile messaging. You will find me blogging from time to time on mobile technology - what I think is cool, what I think is not cool, and how to do things. Please be nice if you leave me comments. I am really trying to help!

9 Responses to More about Android and PKI Certificates

  1. Volo says:

    I’m trying to find some app for my HTC Desire (android 2.2) to work with corporate MS Communicator 2007 r2. I’ve tasted already AndrOCS, but couldn’t get connected to the server. Admins said that the problem is in PKI sert which needs to be installed on my phone. Is there any solutions?
    Thanks in advance:)

    • Tim Smeltzer says:

      I have an Evo with 2.3.3. I can now install .CER files natively as follows: Copy the .CER files to a microSD card. Insert the microSD card into the device and reboot. Once the device comes up, choose Settings, Security, and Install from SD Card. The .CER files on the microSD card should be displayed. Choose the cert to install. You may be asked for a password for certificate storage. This is the password for ALL certificate storage on your device, so make it something you will remember. Once you have entered and confirmed the password, the cert will install and disappear from the list of certs available to install. That is all there is to it. Hope that helps. Tim

  2. J.R. Riehle says:

    I have no issues connecting to the Exchange server with SSL – the cert is downloaded and individually trusted. I am concerned that there is no chain (intermediate and root) support for the cert and that none of the certs are checked for revocation – that I can tell. OCSP with fail-over would be wonderful.

    Also, native signing and encryption of e-mail is non-existent, unless third party apps are used and even those fail proper certificate support miserably.

    The real issue in our world is smartcard support for AD authentication and signing & decryption of e-mail. The authentication issues are critical to our infrastructure – even the Citrix Receiver does not support smartcards yet which denies all of the Android devices from connecting to our networks. User names and passwords are banned for AD authentication here, which means I am stuck with Blackberry and Windows Mobile 6.x devices only so far. Even Windows Phone 7 lacks certificate support now. Maybe Mango? So sad.

    • Tim Smeltzer says:

      James… I would be surprised if Mango supported PKI. Apriva SensaMail does leverage the CAC for device unlock, PIM data decryption, and full S/MIME (including full-path certificate checking and live certifiicate lookup from the GDS). But, it is a third-party app that requires a back-end server and a software install on the device (and is limited to WM 6.0 and 6.5). Good Technologies also has a software/server system that supports iPhone and WM 6.5 phones. I agree with you that the mobile device+PKI story is a sad one. Convenience has trumped security yet again.

  3. Guru says:

    Hi, I am trying to activate activesync on my samsung galaxy sII. My company requires me to have their PKI certificate installed on my phone to be compliant. I can access corporate emails through activesync when i am connected through company wifi but get an “authentication failed” message when accessing through mobile network. is it a certificate issue? if so does android 2.3.3 support PKI certificates now to be installed in root directory?

    • Tim Smeltzer says:

      I know that on my Evo with 2.3.3, I can install PKI root certificates from the microSD card. I detailed the “how” in another response to a comment on this same blog post. Please let me know if you can’t find it. Tim

  4. Pingback: Root CA's - Forum de telechargement et partage

  5. Chris says:

    Hi Tim,
    I have a requirement where I need to read a digital certificate from a usb dongle attached to an Android phone (.cer or .pfx) and then use that certificate for digital signature in the Android app. Any idea if this is possible? If yes, can you please give me a few pointers on how to go about this (i.e. the approach)?

    • Tim Smeltzer says:


      I would need to know a little more about your actual requirements. Android can handle certificates, as long as the application using the cert is written to address the local cert store (or in your case, and alternate certificate location). Are you trying to use the cert for authentication, or are you trying to use it for digital signature/encryption/decryption? There are some very good and capable third-party apps out there that handle certificates very well in both cases. I am hesitant to mention vendors on my blog, as it would seem to be a recommendation, but I would be happy to speak with you privately (via email) about this if you would like.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: