I'm working on a demo in Worklight version 6.0 where I need to use SSL from iOS and Android to the Worklight Server.
Is there any way to use a self-signed or test certificate in the Worklight server? Or do I need to buy a certificate from one of the standard CAs even for test/demo?
I've seen references to how to import my certificate in the Android system trust store, and that looks promising, but I'm not seeing anything equivalent for iOS. There are a number of native code workarounds (which net out to disabling SSL certificate verification altogether) along with much discussion about which solution works/doesn't work (and no discussion of what still works on iOS 7 that I can find).
Is importing the certificate into the Android system truststore the best approach for development?
Is there a simple solution for iOS that allows for self-signed or test certificate that doesn't disable certificate checking entirely?
OK. I didn't find a general purpose answer, or a way to accept a particular certificate, but on iOS and Android, it is possible to disable client side certificate validation for development and test.
In Android, the default Manifest is already configured to ignore certificate validation. By default, the Application element in AndroidManifest.xml has an attribute:
android:debuggable="true"
With this setting, the client does not validate the SSL certificate presented by the server. So on Android, self-signed certs just work by default. The important thing to keep in mind is that when you move from development to production, it is important to set this attribute to false. When the attribute is set to false, the client validates the cert presented by the server, and so you will need a real signed cert for the production server. (makes sense)
In iOS, there are several proposed solutions, The one I'm using is to add the following to the end of my < App Name >.m file:
#implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
#end
From what I gather, this is a unpublished API, and overriding it is bad form, but it works, and this is only for development, so I'm going with it.
I suppose I could be clever, and check for the hostname of my Worklight Server before blindly returning YES, but in any case, the addition of the code above does allow my app to use SSL with a self signed cert at the worklight server.
Both of these "solutions" need to be removed before the app is put into production, as they leave the app vulnerable to a man-in-the-middle attack. But for development/early test/demo they allow SSL without having to get real signed certificates.
There is a very easy way to use certificates not signed by a known CA for development and test purposes.
Note that this support does not come from Worklight. It is really up to each mobile platform to allow you to establish trust for these type of certificates or not. The recommendations given by David above, are really just workarounds to disable SSL validation, which could be a valid alternative in some cases. However, the android:debuggable flag will only get you so far as it doesn't cover certain scenarios like when directUpdate is enabled. Plus disabling all forms of SSL validation, may not be what you really want even in dev/test environments.
Here is what you can do:
First understand that pure self signed certificates won't work on iOS and Android, just because the platforms themselves do not allow you to install these type of certificates into their truststores.
Use self signed CA certificates instead. These are just as easy to create. They are the same as self signed certs except that they have the CA bit enabled to TRUE.
Beware, that self signed certs generated by some tools do not usually create certificates that are also CAs. Ensure your self signed cert is a CA as well.
OpenSSL example on how to create a self signed CA cert:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Ensure the certificate.crt file is X.509 version 3, and has the following extension defined: basicConstraints = CA:TRUE
You can check the certificate.crt file by running the following command:
openssl x509 -in certificate.crt -text -noout
Use this certificate as your server certificate.
On iOS, e-mail your certificate.crt file or host the file on a web browser where you can manually click on it to install it. (Don't install it directly from the hosting WL server, as this only imports it into the browser space and not the device.)
Check that it gets installed by looking under Settings->General->Profiles->Configuration Profiles
Ensure iOS recognizes it and marks is as 'trusted'
On Android you can install the certificate.crt in the Android CA Store. The certificate.crt can be placed in /sdcard, and can be installed from Settings > Security > Install certificate from SD card. The certificate can also be opened by sending it as an email attachment or downloading via browser as in step 7 above. Android asks for an alias for the certificate, choose any name.
Check that it gets installed by looking under Settings -> Security -> Trusted Credentials ->User
Yes, you can achieve this by doing the following:
Create a self signed certificate that will act as a certificate authority.
Install this certificate on the iOS device (easiest way for me to do this was to host the certificate on a server and visit the link in safari and then download it). The iOS device will now trust any a server with a certificate that has been signed by this certificate authority
Create a new certificate that is signed by the certificate authority you created in step 1.
Use this newly signed certificate on your Worklight server
Currently Worklight App not work with a self-signed certificate. It is intended to be used in production, therefore it will only accept a valid CA cert.
Related
I need to know the proper way to setup the MobileFirst Application Center to use SSL (due to the requirement for supporting iOS v9 devices).
MobileFirst is v7.1 running on WebSphere Application Server ND v8.5.5.0.
I have reviewed the instructions from here:
https://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.installconfig.doc/appcenter/c_ac_ssl_config.html
I was then navigated to here:
https://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.installconfig.doc/admin/c_ssl_config.html%23c_ssl_config?lang=en
As advised, I created a self-signed certificate, like so:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt -reqexts v3_req -extensions v3_ca
The above two pages imply that all I need to do is to create a self-signed CA certificate and upload it to the AppCenter console.
Whilst this will allow the App Center Client to distribute the certificate for installation on the devices, I do not see how the "server-side" should be setup?
On the first link above, there is a sub-link to 'setting up SSL for WAS Full Profile', but, those instructions are for using a "proper" certificate and not a self-signed CA certificate.
Am I missing something obvious here? Creating the self-signed CA certificate and distributing it to the client device seems like only 1/2 a job. I don't understand how, when using the Application Center Client, I enter the [user/pwd hostname/9443/applicationcenter] details and it will connect and authenticate using SSL to the Application Center.
Are there any straight forward instructions (or advice) that explain what the proper process is to setup Application Center for SSL to allow for iOS v9 devices to securely connect to the Application Center?
WAS does not care if the certificate you are using is self-signed or not. So the instructions in the first link you referenced are still applicable (except that, if you already have this certificate, you don't need to create a certificate signing request, so step #1 in the doc isn't necessary).
There is a blog post here that discusses how to configure your server to work with iOS 9 App Transport Security. This is not specific to Application Center.
I created self signed certificate and is being used in my express project. The problem is when I do
curl https://<domain>
doesn't and only works with -k option, it doesn't use the certificate to encrypt its content. I don't see how that is effective since that is similar to http itself.
Also from what I understand in CA signing request is that browsers like chrome they are preinstalled with the information trusted CAs in the web such as Verisign. So how does curl work in this way, does it also know before hand like in chrome regarding who are the trusted CAs?
Also in my project the app communicates with the ec2 machine does it need client side certificate for https ?
Yes, curl has a pointer to a list of trusted Certificate Authority keys. You can override it with the --capath flag.
After changing ssl certificate authority from Thawte to DigiCert.
SSL certificate installation issue.
After installing new DigiCert ssl certificate in our server. It is still referring to old Thawte ssl certificate even though we removed old certificate from the server.
Looks like you have another vhost file using the old certificate , please remove that from your . Also make sure you properly restart apache after adding the new certificate .
To check your installation you can use the tool below
Thawte certificate checker
To see what certificate you are using, you can use the following tool Tool
This tool will allow you to check what certificate is installed on your server. Then, you can use the utility tool utility tool
You will be able to see all of the certs from your local machine or server. If you don't see the certificate there, you can import your certificate with that tool. If the utility tool mentions that your private key doesn't match, you will have to recreate the CSR with the utility tool and you will have to reissue your cert. If you reissue your cert, you will not invalidate the original request.
During SSL handshake, the browser downloads any intermediate certificate from the host web server using the URL provided if needed. I believe browser comes with the pre-installed certificates from public CAs having only the public key of the root certificate.
1) When calling a https url using a standalone java program [https://xyz.com ..which is using Verisign certificate], i do not need to add that Certificate to any truststore since its root public is already available in jdk's cacerts truststore file. Is this correct statement?
2) When i run the same program from application server, it requires to add all the intermediate certificate to server truststore individually. Why this works in different way.
If the trust chain for the servers certificate is: root-intermediate#1-intermediate#2-server and the client (browser) has root as trusted CA in its CA store, it needs a way to verify the servers certificate by checking the complete chain up to the root. And because the client usually has no knowledge of the intermediate CAs the server needs to provide them.
Sometimes it seems to work w/o providing these intermediate CAs. First, the browsers usually cache the intermediate CAs they got and thus if intermediate#2 is the same as already seen by another server the verification will succeed, but only for the clients who visited the other server before :(
Another way is to provide a URL inside a certificate, where the issuer certificate can be downloaded, e.g. server could provide a link to the certificate for intermediate#2, intermediate#2 could provide a link to intermediate#1. In this case the client could download the missing certificates. But, this features is not universally adopted, e.g. some browsers might provide it but SSL libraries outside of the browsers usually don't.
When generating a self-signed certificate using keytool, can I use an IP address for the Common Name?
Once I generated the certificate, I exported it so I can install it in my clients/browsers. In Windows, I ran mmc.exe and added it as a Trusted Root Certificate Authority.
However, when I navigate to the IP address in my browser, it is still an untrusted connection. I ensured Tomcat had all the correct Connector settings.
Am I doing this correctly? do I need to be my own CA? How can I use SSL for development purposes? I'm still trying to understand SSL completely.
First question: if you'll be connecting by IP, then yes.
Second question: No, you don't install your self-signed certificate as CA, you just add exception when your browser warns you that it's self-signed.
You can set up CA — you generate root certificate first, install it in the client, and then generate CSR and then server certificate from it (see e.g. this), but for development purposes this is a complete waste of time.