h-mdm/hmdm-server

Feature Request: Root CA certificate import

m-pastuszek opened this issue · 8 comments

Hi!

Is it possible to add function to import CA certificate into Android Cert Store?
It would be best for self signed certificates used in internal SSL websites.

For now, Android require screen lock to import certificate and also renewing would be easier.

h-mdm commented

Certificates can be embedded in the launcher code.

To embed certificates into Headwind MDM launcher, you need to do the following:

  1. Place the certificate files (PEM) into the app/src/main/assets directory
  2. Fill the "certificates" string array in the app/src/main/res/values/strings.xml

Note that downloading certificates from some URL is not safe so it's not done that way.

@h-mdm, I've just used new cerificate embedding and it works fine, but I have a problem with opening websistes in Kiosk Browser with self-signed certificates. It's just showing blank page.

In Logcat, there's an info:
Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Chrome opens this website correctly as trusted. Can I do something with this?

h-mdm commented

I guess you can't use just a single self-signed certificate, but you need a chain of at least two certificates, so the "root" certificate is embedded as trusted, and a second one is used by a website.

So why Chrome opens it correctly?
I've embedded root certificate so in my opinion it should work.

Hierarchy:
rootca

h-mdm commented

If Chrome trust the certificate, other web clients should trust it as well. Probably the Android component WebViewClient has a bug and it doesn't trust the certificates registered by an MDM app.

Anyway, you can rebuild the kiosk browser and ignore the SSL error: https://stackoverflow.com/questions/33825696/android-error-in-webview-loadurl-trust-anchor-for-certification-path-not-fou

Yea, I thought about rebuilding, but I couldn't find repo of Kiosk Browser what made me thinking that it's private.

h-mdm commented

Please contact the technical support https://h-mdm.com/contact-us/

I've made the decision to leave it like it is. I mean, without SSL.
These websites are inside use only, so HTTPS is not needed - there's much more to do and little profit :)