Android not trusting self-signed CA

Question

I can't get android to trust my self-signed cert/ca. I tried the following in this video:

Generate CA and cert for m.m with the script as shown (and below).
Reload nginx with the new cert file (may not be necessary)
Copy the CA to my local device
Install the CA
Confirm it is installed and 'trusted' under user certificates
Try to go to m.m
Cert is not trusted

I have read several guides that say I should be able to generate a CA, install/trust the CA on the device, then anything the CA signs should be trusted. I can get that to work on my Mac OS machines, but not Android or iOS (I have not tried Windows or Linux).

gen.sh:

#!/bin/bash
domain="m"
name="$1"

if [ ! -e "$domain".key ]; then
        openssl genrsa -des3 -out "$domain".key 10240
fi;
if [ ! -e "$domain".pem ]; then
        openssl req -x509 -new -nodes -key "$domain".key -sha256 -days 1825 -out "$domain".pem -subj "/C=US/ST=Tennessee/L=Chattanooga/O=CA Test/CN=Management/emailAddress=test@example.com"

fi;

mkdir $name
openssl genrsa -out "$name/$name".key 8192
openssl req -new -key "$name/$name".key -out "$name/$name".csr -subj "/C=US/ST=Tennessee/L=Chattanooga/O=CA Test/CN=Management/emailAddress=test@example.com"

echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
" >"$name/$name".ext

i=1
for n in "$@"; do
  echo "DNS.$i = $n" | tee -a "$name/$name".ext
  i=$((i+1))
done

openssl x509 -req -in "$name/$name".csr -CA "$domain".pem -CAkey "$domain".key -CAcreateserial -out "$name/$name".crt -days 1825 -sha256 -extfile "$name/$name".ext
cp $name/$name.{crt,key} /srv/docker/nginx/certs/

score 0 · Answer 1 · answered Jul 27 '18 at 17:58

TrustManager

You can trust a domain without using it's certification. Just use TrustManager. If you use it properly Google Play Store wont have any problems with your app.

SimpleTrust is an easy way to trust a specific domains with self signed or not proper certifications.

Get it from JitPack and implement it into your dependencies.

1. Add JitPack to your root build.gradle

allprojects {
    repositories {
        ...
        maven { url 'https://jitpack.io' }
    }
}

2. Add the dependency

dependencies {
        implementation 'com.github.m-devs:SimpleTrust:1.0.0'
}

3. Load it in the class where you want to use it.

SimpleTrust simpleTrust = new SimpleTrust();
simpleTrust.addTrusted("your-trusted-domain.com");
simpleTrust.load();

4. Reset your settings after you used it.

...
simpleTrust.reset();

For alternative usages and more detailed guideline check out this Guide file on GitHub.

That probably works if I'm writing an app, I should have been more clear; I'm trying to get browsers (like Google Chrome) to accept the self-signed cert, not an app I'm writing to accept the cert. — unixnerd777, Jul 29 '18 at 01:28

Android not trusting self-signed CA

1 Answers1

Linked