I'm trying make mutual autentification using Tomcat and Android. I did everything as stated on Created self signed certificates
How I install this certificates in Tomcat and Android application and test between connection?
The first step is creating the self signed certificates which you did following creating self signed certificates.
Next the certificates need to be set up in Tomcat
The interaction between Tomcat and Android has been answered here.
Related
I'm working with a liferay application that is hosted on a machine at 192.168.1.50:8443 with a self signed certificate (keystore was added to tomcat).
I now want to connect the API to an android app. This connection works in production, but I can't make it work in my local environment, even after accepting the certificate in chrome, and installing it to the android device, it is detected but gives me this error:
SSLPeerUnverifiedException: Hostname 192.168.1.50 not verified
But then it prints out the certificate being used and shows CN:192.168.1.50 and every parameter exactly as I set it. Can anyone give me some pointers of where to go from here? I have already tried everything I can find including injecting customized socket factories, hostname verifiers and SSL contexts.
Any help is appreciated, even if it is a way to trust all certificates I'll take it, I don't care about security, I just need this for development.
I need to do this thing:
communicate using ssl from android terminal to a server;
each android client has its own certificate (we can say mutual authentication);
the ssl certificate must not be in the application (each person install his certificate on his phone).
How can I do it?
Obviously point 1) alone is easy (I build a keystore/truststore as explained in stackoverflow). The problem is in point 3).
Thanks,
Mario
If you are targeting Android 4.0 (ICS), you can use the system key store via the KeyChain API. For other versions, users need save their keystore somewhere (on the SD card/external storage, etc.) and let your app know where to find it.
How can I get the PrivateKey from a Windows-MY (MSCAPI) Certificate (marked as not exportable) to use it for the HTTPS Connection to authentificate the Client.
Thanks
I ended up having to use Java Web Start to wrap my application. It handles the SSL context stuff including prompting the user for the certificate. I attempted at first to get the private key through SunMSCAPI but the private key became corrupt every time.
Java web start was my solution. Your JAR's need to be signed to run under JWS. Your application will be launched via a JNLP file. Google JWS JNLP example for an example. It's pretty easy.
I have a web application that downloads a jar file from the web server using java web start. The jar is signed using J2SE security tool. However, I get the security warning "The application digital signature cannot be verified. Do you want to run the application?"
Am I missing something that is causing this??
If it is self-signed you also need to add the certificate into windows certificate store.
If you use a Certificate Authority such as Verisign then you will not have the problem.
See here for an explanation (from Verisign) on why to sign from them.
I have a swing application deployed in HTTP Server. Users use the browser to point an URL and install the client using java webstart. Now I need to enable https access to my application deployed on HTTP server. I am using JDK 1.5 as default jdk supported in the jnlp file. For time being I use a self signed certificate to the sign the jars (by default created using Sun's jarsigner, keytool, etc, utils).
Solution/steps would be much appreciated.
Thanks in advance
Ramesh
As far as I understand your question you don't need to change anything to your code of the client. If you only want to give access to the JNLP via HTTPS you would only need to reconfigure the application server distributing the JNLP or if you have a webserver in front of the application server (as we do here: user - https -> apache -> AJP -> tomcat) you need to reconfigure the webserver to allow the access to the JNLP via HTTPS.
You need to enable HTTPS on the web server. To get the certificate you need to provide credentials and the host name of the server to a certificate authority (CA) like VeriSign or Thawte. They can provide you with a server certificate signed by their root certificate or some intermediate certificate. This certificate must then be imported into the web server to enable HTTPS over SSL. The web clients, like a browser or webstart will then verify the certificate chain when accessing the server.
If you use a self signed jar, all your users will be presented with a warning message about potentially unsafe code. To avoid this you should get a code signing certificate from a CA, which would be somewhat similar to the web server certificate. This CA-provided certificate can be imported into the keystore and used in the same way you use the self signed certificate. The code signing certificate will be signed by the CA so that the certificate chain can be verified by webstart.
What is the feature of https that you are hoping to leverage?
The signing/server authentication is done by code signing, though you are undermining this using a self-signed certificate.
Does your application code contain secrets that must be hidden from eavesdroppers?
As you say you "need to enable" there must be an underlying reason.
I believe that before you "need https" you need a proper code signing certificate. You might want to rephrase your question so that your underlying problem can be solved instead of the very specific question.