troubleshooting Question

Validate an SSL Certificate from a Smatphone App.

Avatar of Pkafkas
Pkafkas asked on
Smartphones* multi-factor authentication* ssl cert
12 Comments1 Solution230 ViewsLast Modified:
Question about how SSL Certificates work on a mobile phone app.

We are setting up a 2-factor authentication for our remote access.  The process involves enrolling your smartphone with your user account for remote access.  Very much like how Duo Mobile works ( https://duo.com ); but, we cannot add our smartphones because the when scanning the QR code to enroll the smartphone an error comes up stating that the Smartphone App does not trust the certificate.

We have a Certificate a respected Certificate Authority (THAWTE) on our Authentication server.  The consultant informed me that we have 2 options.

1.  Change the certificate to another CA on the server.
        a.  He said GoDaddy or Verisign will work for sure(its working in his test lab).
        b.  Try to get a refund on the THAWTE certificate that we purchased.


2.  Wait for the certificate trust anchors to get updated by the Application.
        a.  But who knows when that will happen.

The consultant stated that if he browses to the web url that the QR code is referencing (for example, https://whatever.com) there is no certificate error prompt and I verified that I do not see any certificate errors either(from a browser).

My manager thinks that the consultant should include the certificate in the authentication chain on the new Authentication server; but, I am not sure how that part actually works.  

I also discovered another web article describing the same problem with apps vs browsers: https://stackoverflow.com/questions/26226713/moved-ssl-cert-now-getting-java-security-cer-certpathvalidatorexception

This error came about because the certificate I had installed on my server was a primary cert with no chain. I concatenated the secondary cert with the primary into a single file, installed on the server, and Android accepted the SSL connection.

If it does not work in the app but works in the browser it is often the problem, that the site uses server name indication (SNI) to have multiple certificates on a single IP address. This is supported by all modern browsers, but not by the old Apache HTTP client shipped with Android.

Quesiton1:  Can someone explain to my how authentication chains work with SSL certificates?

Quesion2:  Can someone explain to me what our options are and if all that needs to be done is for the consultant to add the SSL Cert in the Authentication chain or not?
      a.  Or must we do something else instead like get another SSL certificate?
ASKER CERTIFIED SOLUTION
David Favor
Fractional CTO
Join our community to see this answer!
Unlock 1 Answer and 12 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros