I try to access a company website through https. There's need for client certificate authentication, but I don't know how I can provide this in Firefox 4.0 for Android. The certificates has already been imported under Android. The error I get is: ssl_error_handshake_failure_alert. How can I set the certificate to be used for this website?
I have found how to use Client Certificates with Android OS:
1. Install and run at least once Mozilla Firefox or Mozilla Fennec for Android .
2. Please download from your Android phone to the PC: - Mozilla Firefox:
- Mozilla Fennec:
3. Move them to a MS Windows directory (Ex.: C:\keys )
4. Download the package NSS_Tools_x86_from_NSS_3.12.7 Tools.zip and extract it into a directory (Ex.: c:\nss-3_12_7)
5. Run command prompt ( CMD.EXE ) and change the directory where you have extracted NSS_Tools_x86_from_NSS_3.12.7 Tools.zip(Ex.: "cd c:\nss-3_12_7")
6. Executhe the command:
pk12util.exe -i <PKCS12 filename containing your client certificate> -d sql:<directory from step 3> ( Ex.: c:\nss-3_12_7>pk12util.exe -i c:\epay.p12 -d sql:C:\keys ) Enter password for PKCS12 file: <your PKCS12 password> pk12util.exe: PKCS12 IMPORT SUCCESSFUL
If you have more client certificates - do the same command again.
7. Move the "cert9.db" and "key4.db" files back to your Android phone. If necessary fix the ownership and access rights.
8. Restart Mozilla Firefox or Mozilla Fennec for Android.
9. If you access a web site that needs client certificate authentication the browser will ask you to choose one of the imported client certificates and will you them
Final words: Now even on Android platform it is possible to use client certificates for SSL authentication and signing. If there was an add-on or a setting to manage them it would be much easier. I hope that Fennec developer team will fix this issue in the near future. It is also possible to use PKCS#11 library for accessing secure signature devices plugged into the microSD slot and this will make possible to use Qualified digital certificates with Android OS.
this only works on rooted phones. For non-root users there are 2 options:
- create a special APK with FF/fennec which generates a new profile with cert9.db and key4.db . I do not know how to do this. I'd like though
- or: mozilla adds cert management to ff/fennec
dont exist for me. I'll take oernii's word that its because it's not a rooted phone.
Is there really no other way for me to get Firefox to use client-side certificate for authentication? I can't be giving those kind of instructions to people who want to access services on their android phones.
Sorry, there's no easy way to add client certificates to Firefox for mobile. We'd like to add this feature to a future version of the browser. For details, see:
Until then, maybe someone can write an add-on to provide this feature.
Here is another completely different approach but it does not involve Mozilla browser - just another temporary solution.
@cbrowne: vazmuten's original reply does work for non-rooted phones. You have to connect the device to your PC via the USB cable and mount the SD card in order to see them. I searched using several Android file managers (OI File Manager, ES File Explorer, etc.) but couldn't find them until I browsed the card in Windows. It's possible that there's some sort of attribute that hides part of this path from on-device file managers (such as a hidden flag or UNIX permission that prevents reading).
I should also point out that the paths I saw were not exactly what vazmuten reported. I'm seeing:
Note the first "Android" rather than two "data" directories.
Full disclosure: I'm using a stock Motorola Droid running Android 2.2.2. Latest Firefox Mobile (4.0 RC) with the "move to SD card" flag in the OS active. I use a private CA for authenticating with the admin portions of my sites and issue client certs for each device/machine I use to connect. I was able to get Firefox Mobile to successfully connect to a site that required client certs after following this procedure.
I'm glad to see at least one Android browser is supporting client certs. I've tried lots of other solutions, and so far Firefox is the only one that works. It definitely needs a built-in UI; while this procedure isn't necessarily all that hard, it's not something most users or businesses are going to go through, especially if they have a lot of devices to configure.
hey there i have my galaxy s2 rooted but i cant see mozilla\<random>.default
i just see downloads folder not data/org.mozilla.firefox/files/mozilla/<random number>.default/cert9.db what can be?
I have created an addon for firefox mobile which allows you to import CA and client certificate. https://addons.mozilla.org/en-US/mobile/addon/cert
no ROOT required
I am having trouble installing the certificate on 2.3.3 using the cert managar 1.3 add-on for firefox. The browse options i get are "gallery/songs/..." and it doesn't locate the .p12 file i placed in there. I don't have a way to change the browse-folder either. This is on an HTC flyer tablet running 2.3.3,.
It would be great if you can give me any pointers to what i am missing.