Making web site certificate work for Android

2011-11-16
I installed a web site certificate called GeoTrust QuickSSL from http://cheapssls.com on a site of mine. That wasn't too hard I think. Everything looked fine when I tested it on my desktop browsers. However inside of the Android emulator (version 2.1 and others) and also on my newest Android device (running 2.3.5) I got a warning that the certificate wasn't trusted.

Turns out I had some more learning to do regarding SSL and certificates. At first, I thought that maybe the root certificate for this GeoTrust QuickSSL simply wasn’t available on Android. The sites explaining mobile browser support are pretty vague on where they will work. However, that was not the case. It was actually not that hard to fix once I found the correct information. The online chat support at CheapSSLs pointed me in the right direction, although it took some further investigation.

The solution

Two things need to be fixed for older Android versions, like 2.1. (The first one was sufficient for my newest version of 2.3.5.)

Both of these certificate’s data are plain text that can be added to the end of your current web site certificate, probably named “.pem” or “.crt”. The GeoTrust intermediate certificate data (at time of writing) is:

-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh
bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8
KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE
60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m
cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh
w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1
SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB
2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw
sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI
MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR
NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/
ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ
lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy
YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e
vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM
IIi0tWeUz12OYjf+xLQ=
-----END CERTIFICATE-----

The GeoTurst CA certificate data (at the time of writing) is:

-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----

(Reference)

So now your pem or crt file should have 3 certificate sections in it. You need to reload you configuration to pick up the new certificate (nginx). I’m sure this can be applied for other certificate authorities too, just with other data that you’ll have to find for yourself.

Background

Evidently, desktop browsers, can find and download the intermediate certificate by their own and so it worked there from the start. I don’t know what the status of this issue is on iOS or other devices.

If I look at the properties of my web site certificate when I visit the site in a desktop browser I can clearly see that there are two parents to my certficiate. The first one being the “intermediate” certificate. And since they don’t seem to be found any other way by Android, it need to be added to the web site certificate as per the solution above.

This tool also helped me verify what I was missing from the start: http://www.sslshopper.com/ssl-checker.html

For the GeoTrust CA certificate (the root, the parent of the intermediate certificate) it seems it was changed 2010-12-09 which I guess is the reason why it was already available on Android 2.3.5 but not on 2.1 (at least not in the emulator). However, the new CA certificate can be chained in its turn to the “Equifax Secure Certificate Authority Root CA” which IS available on older Android versions like 2.1 and therefore it will work if you just add it to the end of your other two certificates. At least, this is how I assume it can be explained.

So now I can visit my site over https and not get any warnings neither on Android 2.3.5 or Android 2.1. And more importantly, my visitors can too! Happy days.

But no SNI, so not multiple certificates with same ip

Well, not perfect still, unfortunately. On my nginx box I have managed to install multiple certificates for the same ip address. I only have one single ip address on that virtual server (for the time being anyway). It has worked fine with desktop browsers, but while investigating the issue above, I also came across information about how this actually works. And why it doesn’t work on Android until version 4.0, of which we have no devices yet (at time of writing).

This works thanks to an extension called Server Name Indication, explained here http://en.wikipedia.org/wiki/Server_Name_Indication. This makes it possible for the browser to send the server name (host name / domain name of site) before the actual protection begins. And therefore it is possible for the web server to disinguish between sites and certificates on the same server and ip.

The bad news is that SNI has been slow to be incorporated in the Android OS and is simply not available on older versions than 4.0. At least it should be included in version 4.0 now.

What will happen when an pre-4.0 Android browser connects to the server, is that the browser will always only see the first/default certificate (however you might configure it in the web server). So it will still work for one https site, but for the others the user will get a warning that the certificate doesn’t correspond to the domain name.

 

One Response to “Making web site certificate work for Android”

  1. Cool! I was having the same problem as yours. I was actually coding something on android when I notice that WebView wont load the https version of my site. I thought disabling the certificate check is the only option until I found your site. Thank you

Leave a Reply

Twitter: @mikeplate