android: Why Client not sending ssl certificate when its not signed by the same CA as of Server

Question

I have two scenario for creating ssl connection with client verification ON.

1- My android client and server has certificate signed by same CA, Client verification at server is enabled. I load CA certificate in trustmanager keystore, and client key+cert+ca in keymanager keystore and pass this to ssl.init(keymanager, trustmanager). It works fine, both side exchange and verify each other certificates.

2- Now I have client and server certificate signed by different CAs, say server certificate signed by ServerCA and client's by ClientCA. I repeat the above process, but Client never send any certificate when server demanding, Why?

• What is the link between keymanager and trustmanager in ssl.init?

Answer 1

The client certificate is requested by the server during the TLS handshake in the Certificate Request message, which contains a list of certification authorities (their Subject DNs) that the server would be willing to accept.

Clients generally use this to choose which certificate to send (and to choose whether to send one at all): if the client has a certificate chain can can lead up to one of the CAs in the list, it will use that chain.

Using openssl s_client -connect the.host.name:443 should show you the list of acceptable CAs, after the section with the server certificate.

If your client doesn't have a chain that leads up to one of them, the client certificate is unlikely to be used. A common cause for a Java-like client not to use the client certificate in this case is to have imported the client certificate without its intermediate certificates in the keystore (see this question). Another potential cause would be that this server doesn't know anything at all about the CA that issued that other client certificate (with or without intermediate CA certs). (I'm assuming here that your server doesn't send an empty list.)