Search code examples
androidibm-mobilefirstmobilefirst-server

Issue in using a self signed certificate in IBM MobileFirst android

I am trying to connect to a https mobilefirst server from my android app. using a self signed certificate but not sure if its a self signed CA certificate.

I used the following code. certificate file name :mycer.der I have put this certificate in assets folder.

Now I am using the following code to validate the certificate.

WLClient client= new WLClient(getApplicationContext()); client.pinTrustedCertificatePublicKey("dev1mfp.mtb.der");

But still I am getting following error

06-03 03:58:04.803 20647-20699/? W/System.err: javax.net.ssl.SSLPeerUnverifiedException: Cannot verify hostname: 00.00.00.00 06-03 03:58:04.803 20647-20699/? W/System.err: at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:205) 06-03 03:58:04.803 20647-20699/? W/System.err: at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:443) 06-03 03:58:04.803 20647-20699/? W/System.err: at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:394) 06-03 03:58:04.803 20647-20699/? W/System.err: at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:170) 06-03 03:58:04.803 20647-20699/? W/System.err: at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169) 06-03 03:58:04.803 20647-20699/? W/System.err: at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)

Please suggest is there any thing I need to add in my code or is the issue with certificate.

Solution

  • The Certificate Pinning documentation clearly states that self-signed certificates are not supported. You must use a certificate purchased from a certificate authority: https://www.ibm.com/support/knowledgecenter/SSHSCD_7.1.0/com.ibm.worklight.dev.doc/monitor/c_cert_pinning_intro.html

    I suggest that before trying to implement certificate pinning, you should contact your IT department to verify the origin of your certificate. Just so you won't waste your time.

    Additionally, your certificate may not be setup with the correct host to be used... you need to check this as well, that it was generated with the correct host.