I'm trying to make HTTPS connections, using HttpClient
lib, but the problem is that, since the certificate isn't signed by a recognized Certificate Authority (CA) like Verisign,GlobalSIgn, etc., listed on the set of Android Trusted Certificates, I keep getting javax.net.ssl.SSLException: Not trusted server certificate
.
I've seen solutions where you simply accept all certificates, but what if I want to ask the user?
I want to get a dialog similar to that of the browser, letting the user decide to continue or not. Preferably I'd like to use the same certificatestore as the browser. Any ideas?
The top answer didn´t work for me. After some investigation I found the required information on "Android Developer": https://developer.android.com/training/articles/security-ssl.html#SelfSigned
Creating an empty implementation of X509TrustManager did the trick:
Please be aware that this empty implementation of TustManager is just an example and using it in a productive environment would cause a severe security threat!
I was frustrated trying to connect my Android App to my RESTful service using https. Also I was a bit annoyed about all the answers that suggested to disable certificate checking altogether. If you do so, whats the point of https?
After googled about the topic for a while, I finally found this solution where external jars are not needed, just Android APIs. Thanks to Andrew Smith, who posted it on July, 2014
It worked nice for my mockup App.
If you have a custom/self-signed certificate on server that is not there on device, you can use the below class to load it and use it on client side in Android:
Place the certificate
*.crt
file in/res/raw
so that it is available fromR.raw.*
Use below class to obtain an
HTTPClient
orHttpsURLConnection
which will have a socket factory using that certificate :Key points:
Certificate
objects are generated from.crt
files.KeyStore
is created.keyStore.setCertificateEntry("ca", cert)
is adding certificate to key store under alias "ca". You modify the code to add more certificates (intermediate CA etc).SSLSocketFactory
which can then be used byHTTPClient
orHttpsURLConnection
.SSLSocketFactory
can be configured further, for example to skip host name verification etc.More information at : http://developer.android.com/training/articles/security-ssl.html
Here's how you can add additional certificates to your KeyStore to avoid this problem: Trusting all certificates using HttpClient over HTTPS
It won't prompt the user like you ask, but it will make it less likely that the user will run into a "Not trusted server certificate" error.
I wrote small library ssl-utils-android to trust particular certificate on Android.
You can simply load any certificate by giving the filename from assets directory.
Usage:
None of these fixes worked for my develop platform targeting SDK 16, Release 4.1.2, so I found a workaround.
My app stores data on server using "http://www.example.com/page.php?data=somedata"
Recently page.php was moved to "https://www.secure-example.com/page.php" and I keep getting "javax.net.ssl.SSLException: Not trusted server certificate".
Instead of accepting all certificates for only a single page, starting with this guide I solved my problem writing my own page.php published on "http://www.example.com/page.php"