SOLVED create CA that works with android

[neatfreak]

Hello

I set up a owncloud server to work as a caldav server. I created a SSL Certificate and i changed the port from 443 to something random 29342 and i can connect to it fine.
To genenerate the certificate i followed this guide http://www.stephen-scotter.net/comp...n-please-double-check-the-installation-guides
it basically told me to use these commands

Code:

root@owncloud_1:/ # cd /tmp && mkdir keys && cd keys

root@owncloud_1:/tmp/keys # openssl genrsa -des3 -out server.key 1024

root@owncloud_1:/tmp/keys # openssl req -new -key server.key -out server.csr

root@owncloud_1:/tmp/keys # openssl rsa -in server.key.org -out server.key

root@owncloud_1:/tmp/keys # openssl x509 -req -days 18250 -in server.csr -signkey server.key -out server.crt

root@owncloud_1:/tmp/keys # cp server.crt /usr/pbi/owncloud-amd64/etc/apache24/
root@owncloud_1:/tmp/keys # cp server.key /usr/pbi/owncloud-amd64/etc/apache24/

Like i said it works fine, but the reason why i set up this owncloud server is to use it on my phone with calDAV, but when i tried to connect to it via DAVdroid it says invalid certificate.
So i imported the server.crt on my android device and tried installing it manually, it didnt install. After trying with the app CAdroid to download the certificate it said i cant because CA has to be set to TRUE (CA=TRUE).
after google searching how to do that i saw that the certificate needs to be x509v3
thats when i found this german post https://thomas-leister.de/internet/eine-eigene-openssl-ca-erstellen-und-zertifikate-ausstellen/ summary on what it says

Code:

openssl genrsa -aes256 -out ca-key.pem 2048

openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512

then he writes i should install this on my device like my phone, which worked.

Code:

openssl genrsa -out zertifikat-key.pem 4096

openssl req -new -key zertifikat-key.pem -out zertifikat.csr -sha512

openssl x509 -req -in zertifikat.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out zertifikat-pub.pem -days 365 -sha512

but now im confused with the last step because he says i should do this CA for the server side, but these files are all *.pem and hence the first guide i need *.key and *.crt files.

I thought ill just look for the conf file to redirect apache to these files it created, but i dont know where and i dont know if it would work. i checked the httpd-ssl.conf file and say the dir for the server.key and the server.crt file but in that last guide i get like 4 files which im not sure what to do.

can somebody help me? or is there an easier way?

 

[neatfreak]

i made some progress in how to create the CA but when i create one that install into android it wont start apache24 anymore.
to create the self signed certificate i typed in this

Code:

openssl req -new -x509 -days 3650 -nodes -out server.pem -keyout server.key

then converted it into crt for the apache server

Code:

openssl x509 -inform PEM -outform DM -in server.pem -out server.crt

after that the whole plugin just wont start anymore when i copy these into the apache24 folder.

im just curious to know why.

i found an app that is able to download the certificate without me manually installing it. I been using droidDAV the past 2 years but it also required me to install it manually, but with this new app i found called CardDAV-Sync and CalDAV-Sync.

 

[zoomzoom]

With android, a .p12 cert is preferable, as it's imported into userland (you can transfer it to system trusted if you're rooted). I wrote a tutorial on OpenWRT a couple of months back for OpenVPN that has a section covering how to create and import a PKCS12 cert into Android

• You can't utilize any of the same commands (except the openssl command below) since it's using an easy-rsa vars file to have openssl create and sign the certs, and is why I included the applicable command below

Code:

openssl pkcs12 -export -in my-client.crt -inkey my-client.key -certfile ca.crt -name My-Client -out my-client.p12 && chmod 0600 my-client.p12

The FreeNAS WebUI (System - CA) can create a certificate authority, as well as create and sign client certs, and it may be more convenient for you to create the CA and certificates there, then use the openssl pkcs12 command above to create a .p12

• They save to /etc/certificates and /etc/certificates/CA for the CA.
• I cannot stress enough the importance of ensuring every .p12 and .key created are set to 600 for permissions because each contain the private signing key.

I wrote a reply yesterday on another thread yesterday regarding creating SSLs you may also want to skim through. It's quite similar to the link you included above with a few areas streamlined.

• If you're going to be using multiple certs for multiple devices, you may find GPG4Win (Windows) or GnuPG (Linux) useful for managing them

 

[neatfreak]

@zoomzoom

thanks so much for replying, and i will have a look at the thread you send me, and good to know about the chmod 0600 command. thanks.

weird enough eventhough my android phone is rooted i never thought of manually impimenting the cert into my phone, but with CalDAV Sync it automaticlly just accepts the cert as is, so that i dont need install other apps to surpress the "you might be monitored" windows and it goes throught the hassle of making a passkey on my android phone.

 

[jgreco]

It appears CalDAV-Sync and CardDAV-Sync do a better job at SSL cert handling than average applications do. This is one of the sucky bits with Android devices. I have no idea why they don't allow management of the trusted certificate store (without "rooting").

 

[zoomzoom]

@zoomzoom

thanks so much for replying, and i will have a look at the thread you send me, and good to know about the chmod 0600 command. thanks.

weird enough eventhough my android phone is rooted i never thought of manually impimenting the cert into my phone, but with CalDAV Sync it automaticlly just accepts the cert as is, so that i dont need install other apps to surpress the "you might be monitored" windows and it goes throught the hassle of making a passkey on my android phone.

No problem at all =]

You don't have to install other apps to import certificates into Android... Settings - Security - Install from Storage.

• Once installed, you will receive a toast upon boot (which can be swiped away) that the network may be monitored. I can understand to a point why Google implemented that toast, but it's baffling in other ways. The reason why the toast would appear is because any PKCS12 file imported into the phone that is self signed is sandboxed in userland.
  • In Settings - Storage - Trusted Credentials you'll see two tabs, System and User. System displays all trusted CAs imported directly from a cert file during firmware installation. User will display all certs imported by the user, however when the user imports a self-signed cert, or one not trusted by the System, it causes the toast to be generated upon boot.

• To transfer a cert from userland to system trusted doesn't require any extra apps, so I'm not sure how you gained that impression. It does require root access as you need access to the system directory to perform a file rename and permissions change

 

[neatfreak]

i understand what youre saying but this app i installed doesnt store the cert into the my phone it just stores into the app so the caldav and carddav run throught the app. with droidDAV it wasnt to store it on my android phone into the /system/etc/security/cacerts/ folder, which is not possible with the typ of cert i created. it always told me that CA=FALSE has to be set to CA=TRUE in order to run it on android. believe me i tried to just go to settings - security - install certifacte but it didnt show up in the user certificate tab. Then i installed the owncloud app to see how it handles this certificate, it just stores it into the app and the phone os ignores the fact that im using a selfsigned certificate. So by accident i stumbeld onto that calDAv Sync app which does the same, instead of storing the cert on the phone.

 

[zoomzoom]

I wasn't trying to say you had to do it that way, and I apologize if it came across as such =]

I've never used calDAV sync and my only purpose in my last reply was to correct misinformation regarding moving a cert from userland to system trusted. I'm glad you got it working :)

I assume calDAV and cardDEV are for calendar/contacts, but what's the purpose of using them? Is it to sync calendars and contacts not tied to email/exchange accounts?

 

[jgreco]

"Why the hell would contacts and calendars be tied to an email account?" -- the question I'd ask the morons at Microsoft who embodied this sort of crap in Exchange.

That's like tying your e-mail to your webhosting account. People do it, but it is generally a failure for anything more complex than the least common denominator use model.

 

[jgreco]

well, okay, you got me, it works GREAT for Exchange, where it is super easy for a Microsoft Certified Expert Geek to set it up, and then when it eventually falls over, it takes e-mail AND contacts AND calendaring with it, crippling all business communications...

 

[zoomzoom]

I remember when I first migrated from BlackBerry to Android 5 years ago, it was irritating there wasn't a decent way to sync Outlook to Android and vice versa. I've always used Outlook for calendar and contact management and was ecstatic when I came across CompanionLink Pro from CompanionLink... well worth the $130 :)

 

[zoomzoom]

well, okay, you got me, it works GREAT for Exchange, where it is super easy for a Microsoft Certified Expert Geek to set it up, and then when it eventually falls over, it takes e-mail AND contacts AND calendaring with it, crippling all business communications...

They still haven't fixed a bug that exists in EAS for outlook/hotmail/live/msn addresses where syncing your account to ~ 3 devices and using Outlook (desktop program) for around a year will cause the "too many devices syncing" error which prevents email delivery, contact syncs, and other issues (bought a new xbox and want to set it up, since it's tied to SSO you're out of luck). Until about 4 months ago, there was a way for the end user to fill out KB article form and submit it to have an employee on the backend delete the tens of thousands of accumulated syncs, however when they redesigned their site for Win 10, the team who did so broke the link and it now directs you to a Windows 10 info page.

• It doesn't take a genius to say "hmm... maybe we should add in an option for the end user to do so on account.live.com"

Currently, If I use my email to setup SSO on a Windows device, I have to first delete one of the other two synced PCs (only other two are an Xbox One and 360). Irritating to say the least

 

[jgreco]

I'm very pleased with our WebDAV services and how cleanly it integrates across iOS, Android (only because of CalDAV-Sync), OS X, etc. It always annoyed me how hard it used to be to maintain such services before DAV.

 

[jgreco]

They still haven't fixed a bug that exists in EAS for outlook/hotmail/live/msn addresses where syncing your account to ~ 3 devices and using Outlook (desktop program) for around a year will cause the "too many devices syncing error". Until about 4 months ago, there was a way for the end user to fill out KB article form and submit it to have an employee on the back end delete the tens of thousands of accumulated syncs, however when they redesigned their site for Win 10, the team who did so broke the link and it now directs you to a Windows 10 info page.

Currently, If I use my email to setup SSO on a Windows device, I have to first delete one of the other two synced PCs (only other two are an Xbox One and 360). Irritating to say the least

Win10's failure to include WebDAV sync for contacts and calendar is a big disappointment. Microshaft, still discouraging interoperability after all these years.

 

[zoomzoom]

Do you have any recommendations on where I should look to read up and learn about calDAV/cardDAV/WebDAV

 

[jgreco]

Do you have any recommendations on where I should look to read up and learn about calDAV/cardDAV/WebDAV

Not really. I can tell you that davical works very well here, and hasn't broken in the years we've been using it, but I guess OwnCloud offers similar functionality now and might be an easier path to follow. Check the documentation resources of both projects, I'd say.

 

[zoomzoom]

Not really. I can tell you that davical works very well here, and hasn't broken in the years we've been using it, but I guess OwnCloud offers similar functionality now and might be an easier path to follow. Check the documentation resources of both projects, I'd say.

Awesome =] Thanks a bunch!

 

[neatfreak]

I wasn't trying to say you had to do it that way, and I apologize if it came across as such =]

I've never used calDAV sync and my only purpose in my last reply was to correct misinformation regarding moving a cert from userland to system trusted. I'm glad you got it working :)

I assume calDAV and cardDEV are for calendar/contacts, but what's the purpose of using them? Is it to sync calendars and contacts not tied to email/exchange accounts?

sorry if it came over a little harsh i didnt mean to offend you. just thought it was weird that it didnt work the way it usually worked with my last caldav server i had.

 

[zoomzoom]

sorry if it came over a little harsh i didnt mean to offend you. just thought it was weird that it didnt work the way it usually worked with my last caldav server i had.

Not at all... sometimes the way I word things comes across differently than intended, and it appeared what I said may have.