I touched upon the release of Android 4.0, also known as Ice Cream Sandwich, back in October:
http://mobilitydojo.net/2011/10/19/ice-cream-sandwiches-for-the-kids/

That was based upon the official docs and emulator, but about a week ago I finally got an actual device in my hands in the form of the Galaxy Nexus, and I find it a lot easier to test on real hardware so I thought I’d revisit the OS to test out some client certificate related features. (The eye candy factor is greatly improved, but it’s not like you can’t find tests of that all over the web.)

I said that certificate support was improved – for instance the support of client certificates with the Google-supplied Exchange ActiveSync client. This implied there might have been some improvements for the browser as well, and the short answer would be yes

Let’s start with the first thing you need to do when deciding to use client certificates on a device; enroll the certificates. This was ever so hopelessly implemented in the 2.x branch of Android. You had to have the certificate on a memory card, or know exactly which folder to put it in to emulate an external card (device-specific and never documented of course). I’m not saying it’s perfect this time around either, but you can actually enroll directly against a Microsoft CA. (To be fair I have seen this working on Honeycomb as well, but I still considered it a half-baked effort.)

So how do you enroll with a Microsoft CA? Easy enough actually:
Open up https://CA/certsrv in the supplied browser (no third-party browser needed) and “Request a certificate”

Select “User Certificate”

Go with “High Grade” unless you have specific reasons not to. (“High Grade” = 2048 bits key length. )

And “Install this Certificate”. You’ll be prompted to provide a password for the key storage if it’s the first request, or you haven’t stored things like your WLAN passcode before.

The brilliant thing about this enrollment method is that the certificate is now automatically available for the apps that support it without any more configuration. (Usually ActiveX is required client-side for /certsrv to work, so there has been tweaks in the browser to allow this to function. If you attempt doing the same thing in Safari in iOS it’s not going to work.)

Setting up client certificate authentication for Exchange ActiveSync? Just select the certificate when running through the wizard.

Accessing a web site requiring client certificates? You’ll be prompted to select a certificate when trying to open the site. (Which means that we can finally use client certs in the stock Android browser.)

The missing component in this scenario is the enterprise deployment features. While geeks will not have a problem accessing the CA’s web interface to enroll there’s still too many options the user can select preventing it from being intuitive for an end-user as well as lacking automation. Needless to say you’ll either have to make your CA available to the Internet or require the devices to be connected via VPN or the corporate Wi-Fi to do this as well.

I’ve said it before and I’ll say it again; Google are taking baby steps towards enterprise features. We’re slowly getting there, and this is another correct step, but do please step up and implement a proper MDM API in your OS.