Client Certificates in Android Ice Cream Sandwich

I touched upon the release of Android 4.0, also known as Ice Cream Sandwich, back in October:

That was based upon the official docs and emulator, but about a week ago I finally got an actual device in my hands in the form of the Galaxy Nexus, and I find it a lot easier to test on real hardware so I thought I’d revisit the OS to test out some client certificate related features. (The eye candy factor is greatly improved, but it’s not like you can’t find tests of that all over the web.)

I said that certificate support was improved – for instance the support of client certificates with the Google-supplied Exchange ActiveSync client. This implied there might have been some improvements for the browser as well, and the short answer would be yes Smile

Let’s start with the first thing you need to do when deciding to use client certificates on a device; enroll the certificates. This was ever so hopelessly implemented in the 2.x branch of Android. You had to have the certificate on a memory card, or know exactly which folder to put it in to emulate an external card (device-specific and never documented of course). I’m not saying it’s perfect this time around either, but you can actually enroll directly against a Microsoft CA. (To be fair I have seen this working on Honeycomb as well, but I still considered it a half-baked effort.)

So how do you enroll with a Microsoft CA? Easy enough actually:
Open up https://CA/certsrv in the supplied browser (no third-party browser needed) and “Request a certificate”

Select “User Certificate”

Go with “High Grade” unless you have specific reasons not to. (“High Grade” = 2048 bits key length. )

And “Install this Certificate”. You’ll be prompted to provide a password for the key storage if it’s the first request, or you haven’t stored things like your WLAN passcode before.

The brilliant thing about this enrollment method is that the certificate is now automatically available for the apps that support it without any more configuration. (Usually ActiveX is required client-side for /certsrv to work, so there has been tweaks in the browser to allow this to function. If you attempt doing the same thing in Safari in iOS it’s not going to work.)

Setting up client certificate authentication for Exchange ActiveSync? Just select the certificate when running through the wizard.

Accessing a web site requiring client certificates? You’ll be prompted to select a certificate when trying to open the site. (Which means that we can finally use client certs in the stock Android browser.)

The missing component in this scenario is the enterprise deployment features. While geeks will not have a problem accessing the CA’s web interface to enroll there’s still too many options the user can select preventing it from being intuitive for an end-user as well as lacking automation. Needless to say you’ll either have to make your CA available to the Internet or require the devices to be connected via VPN or the corporate Wi-Fi to do this as well.

I’ve said it before and I’ll say it again; Google are taking baby steps towards enterprise features. We’re slowly getting there, and this is another correct step, but do please step up and implement a proper MDM API in your OS.

3 thoughts on “Client Certificates in Android Ice Cream Sandwich”

  1. Thanks for this article, it gave me hope where there was none before after testing CertSrv on Apple devices. I’ve given this a test using a Samsung Galaxy II running Android 4.0 and had no luck getting the same results. I kept getting a “no mapping between account names and security IDs was done” after clicking “Submit” to get the cert.

    What version of Microsoft certificate services were you running. was it on server 2003 or 2008?

    I also tried testing using different templates base on the recommendations you made in the “/CertSrv vs Mobile Devices” post which again didn’t bring any success. It would be great to here what your configuration was on the server side of this to get it working!

  2. I’ve been using 2008 R2 on the CA side for a long time (well, since it came out really), so I have never tested this on Server 2003.

    I cannot remember how the settings are on my /CertSrv virtual directory compared to a clean install – I’ve done some fiddling back and forth over the years 🙂

    I take it /CertSrv is working on a desktop running Windows, and that you can enroll the certificates you like there? I remember something about having problems with the default security settings on templates, and it might be necessary to modify these. If it doesn’t work in Internet Explorer you will often run into problems doing it on mobile devices as well.

  3. Thanks Andreas. We are running 2008 SP2 as well, and no problems enrolling a cert with a Windows desktop via the IE browser. Think I am going to test with a clean install of everything in a separate environment just to make sure none of the changes we have made or policies that have been applied are causing issues!

Leave a Reply

Your email address will not be published. Required fields are marked *