-2

I developed an API for our system, so it could be used by an Android app. The Android app is developed by another member of the team. As the server uses SSL, the android app cannot connect without a certificate.

I should mention that this is a self-signed certificate.

What is the practice in this case?
Give the Android programmer the certificate so he can embed it to the app?
(Wouldn't that mean exposing it to cracking and theft?)

Where can I start my research on this subject?

Thanks in advance,
Shy.

Shy Agam
  • 1,285
  • 1
  • 13
  • 37

1 Answers1

1

Here's a link for you to check out answering a very similar question.

How can I use different certificates on specific connections?

The simple answer is: There's nothing wrong with giving the certificate to another individual so they can include this in their list of "trusted" entities when opening secure connections.

Anytime a client connects to a server via SSL or TLS, the client must look at the server's certificate in order to decide if it trusts it or not (based on who signed it).

As far as cracking, any certificate is vulnerable to that, but you increase the length of the cert (to like 2048 bits or 4096 bits) in order to make cracking take so long that it is no longer beneficial to even try.

What you dont want to do is give the Android developer your private key. The flow is generally:

  • Private key uniquely identifies your system and should never be shared
  • Private key is used to create certificate signing request (CSR)
  • CSR is sent to a trusted certification authority (CA) (in the case if self-signed, you assume this role yourself)
  • CA sends back a trusted, signed certificate, based on your private key/CSR
Community
  • 1
  • 1
Harvtronix
  • 854
  • 6
  • 16
  • Well explained. Much appreciated. I'm missing one thing though... Should I export the certificate and give the file to the Android developer? A certificate file contains both private & public keys, right? Doesn't this break what you said about "What you dont want to do is give the Android developer your private key"? – Shy Agam Feb 17 '15 at 13:39
  • 1
    The certificate itself is separate from the private key when received from the CA. Or when you "sign" the CSR yourself, you get a file that typically starts with -----BEGIN CERTIFICATE----- and then has a bunch of stuff, followed by -----END CERTIFICATE-----. That part (and only that part) is what you want to give to the android developer. Some web servers required you to concatenate both your private key and your certificate into the same file (typically a .pem file), but by itself, the pure certificate is ONLY a certificate. No private key text listed inside of it. – Harvtronix Feb 17 '15 at 19:47
  • As an exercise (if you use google chrome for example) you can click the lock next to any https address and view the certificate's details. You can even go so far as to copy the certificate to a file on your system to view it whenever you want. This just reinforces the fact that anyone can view/have a certificate without your private key being compromised. – Harvtronix Feb 17 '15 at 19:52
  • Very much appreciated. – Shy Agam Feb 19 '15 at 12:51