0

I am following android's tutorial of https with untrusted certificate. See here.

They have provided sample code of the scenario when CA is untrusted. I have the scenario of self-signed certificate on my server. So I can't figure out what I do replace the following with in their sample code :

InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));

// I can't figure out where to get my crt from ? 
// I don't have access to that path directly from a URL

For self signed certificate they say :

You can create your own TrustManager, this time trusting 
the server certificate directly.

Do I have separately get my server's self-signed certificate ? Will the API not get that for me automatically in some way ?

Jake
  • 16,329
  • 50
  • 126
  • 202

2 Answers2

1

Do I have separately get my server's self-signed certificate ?

I don't know what "separately" means in this context, but you need the keystore containing the self-signed certificate for the purposes of validation.

Will the API not get that for me automatically in some way ?

How could it? The point behind validating a certificate is to confirm that it is indeed correct, and that your user is not the victim of a man-in-the-middle attack. To do that for a self-signed certificate, we need the relevant details to make that validation.

FWIW, if you find this stuff to be a bit complex to set up, I have a TrustManagerBuilder in my CWAC-Security library that can help a bit.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
0

If you have server certificate, if that certificate is self signed then you should add public key certificate to trust store of system, other wise it wont trusted and leads to trust related exception you should extract the certificate(public key certificate from server certificate) and need to replace load-der.crt, Then run the sample provided in the link.

Mohankumar

kanakmohank
  • 61
  • 7