When I am accessing a meeting URI using the GuestmeetingJoin sample app, I am getting the following error.
SfbCertificateTrustEngine: Certificate NOT trusted by the standard OS trust manager: X509CertificateInfo
How can I make the library to trust the certificate. What makes the app sdk to trust our certificate. The certificate issued by our CA is not leading to a publicly trusted entity. But we want to try it for Proof of concept for now. I am trying this on Android.
This is not a programing problem but a device setup problem.
The device but have the root certificate (and intermediate certificates) installed into the devices trusted root certificates list.
If your sfb uses a self-signed certificate (which will be my guess) then you need to get and install this self-signed certificate onto the device. How this is done may be different for different devices (PC, Mac, IPhone, IPad, Andriod, etc). See this question on how to install a certificate onto a android device.
Related
I'm having an issue with my development where I am trying to implement OAuth authentication in my app. In order to get this to work I have to set up my .net core app to run with SSL certificates. These certificates are generated automatically and trusted, so far so good.
The issue arises where I try to use a phone client on these sites. Obviously the device doesn't have the certificate installed, and installing the certificate on the device makes little difference (the certificate provided by the dotnet tool doesn't have a CA attribute or something? So I can't physically trust the certificate on an iOS device).
From where I'm standing, it would make more sense to just use a Let's Encrypt SSL certificate on IIS Express, have the certificate provided by a recognised authority, but it seems that I can't do that for localhost. I think this is because the Let's Encrypt ACME bot can't connect to my local development instance which makes sense.
Is there any way to have a recognised development certificate (when I say recognised, I mean something like Let's Encrypt) in use for IIS express or local development? Or do I have to use a self signed certificate and find some way to install them on my testing devices?
Thanks.
I think you need 2 steps to achieve it.
Configure your IIS Express to use a custom domain name rather than localhost. This custom domain name is the one that you have SSL certificate for. Check here for how to do it.
Bind the Let's Encrypt certificate to IIS Express. This blog post uses a self signed cert, but in theory it should also work for Let's Encrypt cert.
I am looking for device authentication where
I want to make sure that all calls to my web service\Website (hosted on Google App Engine) Is coming from an authorized device only, using a device certificate.
Each device will have a unique certificate that cannot be transferred to other devices.
A device certificate can be revoked anytime.
To achieve the above, I am planning to have another Service which would issue certificate to devices which is approved to use my service. I will issue the certificate via email to the user where he will install it manually. My users will use browser to access my service.
But I am not sure how would I achieve points 2 and 3.
Can you please guide as to how to achieve this using a self signed certificate?
I want to make sure that all calls to my web service\Website (hosted on Google App Engine) Is coming from an authorized device only, using a device certificate.
You can use a SSL channel with client authentication or adding a digital signature to your messages
Each device will have a unique certificate that cannot be transferred to other devices.
it is not possible to ensure this using software certificates. If you distribute them by email, the user could install them in several devices.
You could use a hardware token (nfc/bluetooth) or preinstall the certificate in the Android/iOS KeyChain so it would not be extractable. but this complicates the distribution very much.
A device certificate can be revoked anytime.
Check revocation at server side before accepting a request from a client. There are standard protocols to do this ( OCSP, CRL), or use a custom mechanism since you issue them yourself
I was thinking, since I controll the app and what site it points too (and since I of course control the server as well), is it a security issue if the SSL certificate is self signed? The entire point of having a verified certificate is so people know that you are who you say you are right? When I controll who people are talking too anyway, what use is it to have a verified certificate?
Recently, my Test Worklight server has been configured and secured via https protocol and SSL setup (CA certificate is added).
However, my mobile app cannot connect to the WL server now and get an error. Before, it can connect to the WL server normally with http protocol.
I did some tests (exmaples for Auto Provisioning and Custom Provisioning - module_25_0_CustomDeviceProvisioningCustomProvAppAndroid) based on the Device_Provisioning_concepts.pdf document, but they didn't work on Test env.
I think it should be that some settings were not configured successfully, so that WL server didn't issue the certificate to the mobile app. I am not sure.
Any idea?
Information:
WL servsion: 5.0.6.1, Enterprise Version;
Not install the App center mobile application firstly, just install MyApp via the web url of App Center;
Hybrid application
[ERROR] [https://serverhost:9443/demo/apps/services/api/AuthDemo/iphone/query] Host is not responsive.
As Anton said, the certificate is not being trusted by the mobile device. The reason you get a 'Host is not responsive' error is because the SSL handshake failed because the device did not trust the server's certificate, so an HTTPS connection was never created, and it interprets it as if it did not find the server, because the SSL handshake occurs at a lower level than HTTP, and it cannot distinguish between both cases. If you want to see the SSL errors, you will have to use a program like Wireshark or Charles to look at the network traffic.
If you want to use this untrusted CA certificate, you will have to manually import the CA certificate to the device's trusted certificate store so that the device trusts . This varies from platform to platform. For example, on Android and iOS, you can email the certificate to the device (it has to be in .crt format), and then when you open it, the device will let you import the certificate. After manually trusting the certificate, the application should work.
Try to open Worklight console from you device's browser. Most probably it will notify you about invalid certificate (popup and/or icon in the address bar). In case it does - the certificate you've purchased is not trusted by mobile phones. You should ask CA for a certificate trusted by Apple/Google browser.
If I use SSL for my app to communicate with my server, can I use any SSL certificate, like those issued by goDaddy? I understand the reason people buy Verisign certificates(which are terribly expensive) is that they are supported by all browsers. But if I have no browser component, and the communication is between my app and my services, can I go for a cheaper one?
How SSL works
The Goal of SSL Certificates is to ensure no Man In the Middle is earsdropping on your encrypted communication. When your app is connecting to your server, your server therefore presents a certificate which tells, that the used encryption key really belongs to your server. This certificate is cryptographicly signed by a trusted party, such that the man in the middle can not forge such a certiifcate. Your app has to know the cryptographic key of the trusted party in advance to verify this signature.
Use godaddy certificates
You can use any certificate made by a trusted party which is known by your app. If you include the godaddy cryptographic key (called root certificate) in your app you can use godaddy certificates.
Use your own zero cost certificate
For you and your app, you yourself can be a trusted party for certificate signing. You can use your own self generated certificate without paying anyone for it. You only need to include your own certificate in your app. You can find a tutorial on how to generate a self signed certificate at http://www.akadia.com/services/ssh_test_certificate.html .