I am trying to query a HTTPS website with Apache's HttpClient 4.X from an android app. I get an javax.net.ssl.SSLPeerUnverifiedException: No peer certificate exception. I followed different instructions on importing the certificates:
- How do I avoid getting "No peer certificate" error when connecting to this HTTPS site on Android?
- Https Connection Android
- HTTPS GET (SSL) with Android and self-signed server certificate
None of these worked for me.
I think my problem is that the site's Certificate chain is as follows:
- Telekom Root CA 2
- Intermediate A
- Intermediate B
- Site's certificate
- Intermediate B
- Intermediate A
The Telekom Root CA 2 is included in the Android default keystore (/system/etc/security/cacerts.bks). I checked that on my own phone I use for testing.
Now the question is, which certificates do I have to include in the custom keystore all the instructions tell me to provide? Just the intermediates? Only the site? Both? Do I need the Root certificate as well? Shouldn't the Site's certificate be verified by the chain - I would not need to provide any extra certificates since the root of the chain is trusted.
I would be happy if you could explain to me what is going on and how I could get this to work. Please do not post workarounds which just ignore the Certificates, since this is intended for production and has to be secure.
