Android: Couldn't establish HTTPS connection using Entrust certificate

Question

I wanted to establish a HTTPS connection to this website particularly, https://elearning.utp.edu.my/

I have checked from SSL tool that the website used Entrust_L1K certificate, then I export the certificate file from Chrome browser.

I tried using the code provided by Android developer website.

 try {
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            InputStream caInput = mContext.getResources().openRawResource(R.raw.entrust_l1k);
            Certificate ca;
            try {
                ca = cf.generateCertificate(caInput);
                System.out.println("ca = " + ((X509Certificate) ca).getSubjectDN());
            } finally {
                caInput.close();
            }

            // Create a KeyStore containing our trusted CAs
            String keyStoreType = KeyStore.getDefaultType();
            KeyStore keyStore = KeyStore.getInstance(keyStoreType);
            keyStore.load(null, null);
            keyStore.setCertificateEntry("ca", ca);

            // Create a TrustManager that trusts the CAs in our KeyStore
            String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
            tmf.init(keyStore);

            // Create an SSLContext that uses our TrustManager
            SSLContext context = SSLContext.getInstance("TLS");
            context.init(null, tmf.getTrustManagers(), null);

            HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
            urlConnection.setConnectTimeout(7000);
            urlConnection.setRequestMethod("GET");
            urlConnection.setDoInput(true);
            urlConnection.connect();

            int responseCode = urlConnection.getResponseCode();

            switch (responseCode) {
                case HttpsURLConnection.HTTP_OK:

                    InputStream in = urlConnection.getInputStream();

                    Scanner scanner = new Scanner(in);
                    scanner.useDelimiter("\\A");

                    boolean hasInput = scanner.hasNext();
                    if (hasInput) {
                        return scanner.next();
                    } else {
                        return null;
                    }


                default:
                    return null;
            }
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }

However I still get the following error code

W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

I have tried multiple solution from Stack Overflow.

I hope to learn the best practice to connect to HTTPS without trusting all certificates. Would appreciate if anyone can guide me.

EDIT 1: Apparently when I click "Log in" using Firefox, it prompts a warning shows that "elearning.utp.edu.my uses an invalid security certificate." However, I can established a "SECURE" connection to the website using Chrome. The website is as follow : https://elearning.utp.edu.my/login/index.php

score 1 · Accepted Answer · edited May 23 '17 at 11:53

The L1K certificate is signed by a Root G2 cert, so you should add it to the keystore/trust manager as well:

caInput = mContext.getResources().openRawResource(R.raw.entrust_root_g2);
try {
    ca = cf.generateCertificate(caInput);
    System.out.println("ca = " + ((X509Certificate) ca).getSubjectDN());
} finally {
    caInput.close();
}

// Use the same keystore.
// Mind the different alias.

keyStore.setCertificateEntry("ca2", ca);

You have to link the SSLContext to the connection. You'll probably want to do it right after instantiating the connection object:

urlConnection.setSSLSocketFactory(context.getSocketFactory());

Note: although you stated that you want to connect to a specific website, mind that this TLS configuration will reject any other certificate. E.g. if you change the URL to https://stackoverflow.com/ the TLS handshake will fail. Should you want to accept your custom certificates as well as the default ones, take a look here: https://stackoverflow.com/a/24561444/2657100

Thank you! I followed your step and it is working now :) – Lv.0 Shian Mar 10 '17 at 16:53 — Lv.0 Shian, Mar 10 '17 at 16:53

Android: Couldn't establish HTTPS connection using Entrust certificate

1 Answers1