Android - How to build keystore for SSL authentication given the certificate chain

Question

I need to build a keystore with all the needed SSL certificates to make my Android app connect to a webserver via https.

This is my certificate chain (obtained with openssl s_client -connect www.myhost.com:443):

 0 s:/C=US/ST=State/L=Location/O=Organization/OU=Webserver Team/CN=www.myhost.com
   i:/C=US/O=Thawte, Inc./CN=Thawte SGC CA - G2
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 2 s:/C=US/O=Thawte, Inc./CN=Thawte SGC CA - G2
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 3 s:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 4 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

My problem is that I'm not 100% sure about how to create the keystore to import in my android application. I've only been able to download VeriSign Class 3 Public Primary Certification Authority - G5 and Thawte Primary Root CA from the Thawte and Verisign website. I can't find the other two that If I'm not wrong should be Thawte SGC CA - G2 and thawte Extended Validation SSL CA.

If I had all of them, I would proceed creating a keystore with the procedure explained in this answer to a question similar to this one.

Am I misunderstanding something? Do I really need all the 4 certificates or not? I'm also not sure of the order (and the aliases) I should use when adding these certificates to the keystore. Does it matter?

Answer 1

If your server cert is signed by VeriSign, you don't need to install it, it is most probably already trusted by Android. Are you getting an error? On what version?

Generally, you only need to have the root (CA) certificate installed in the device's trust store. All intermediate certificate should be sent by the server if properly configured.

Answer 2

In the end, my problem was that the server was not sending the certificates in the right order (you can see it from the openssl output I posted in my question). The solution was to subclass X509TrustManager and, on method checkServerTrusted, just reorder the certificate chain before passing it to the super implementation. The reordering code is the following:

    int currIndex;
    for (currIndex = 0; currIndex < certificates.length; ++currIndex) {
        boolean foundNext = false;
        for (int nextIndex = currIndex + 1; nextIndex < certificates.length; ++nextIndex) {
            if (certificates[currIndex].getIssuerDN().equals(certificates[nextIndex].getSubjectDN())) {
                foundNext = true;
                // Exchange certificates so that 0 through currIndex + 1 are in proper order
                if (nextIndex != currIndex + 1)  {
                    X509Certificate tempCertificate = certificates[nextIndex];
                    certificates[nextIndex] = certificates[currIndex + 1];
                    certificates[currIndex + 1] = tempCertificate;
                }
                break;
             }
         }
         if (!foundNext) break;
     }