Question about how SSL Certificates work on a mobile phone app.
We are setting up a 2-factor authentication for our remote access. The process involves enrolling your smartphone with your user account for remote access. Very much like how Duo Mobile works ( https://duo.com
); but, we cannot add our smartphones because the when scanning the QR code to enroll the smartphone an error comes up stating that the Smartphone App does not trust the certificate.
We have a Certificate a respected Certificate Authority (THAWTE) on our Authentication server. The consultant informed me that we have 2 options.
1. Change the certificate to another CA on the server.
a. He said GoDaddy or Verisign will work for sure(its working in his test lab).
b. Try to get a refund on the THAWTE certificate that we purchased.
2. Wait for the certificate trust anchors to get updated by the Application.
a. But who knows when that will happen.
The consultant stated that if he browses to the web url that the QR code is referencing (for example, https://whatever.com
) there is no certificate error prompt and I verified that I do not see any certificate errors either(from a browser).
My manager thinks that the consultant should include the certificate in the authentication chain on the new Authentication server; but, I am not sure how that part actually works.
I also discovered another web article describing the same problem with apps vs browsers: https://stackoverflow.com/questions/26226713/moved-ssl-cert-now-getting-java-security-cer-certpathvalidatorexception
This error came about because the certificate I had installed on my server was a primary cert with no chain. I concatenated the secondary cert with the primary into a single file, installed on the server, and Android accepted the SSL connection.
If it does not work in the app but works in the browser it is often the problem, that the site uses server name indication (SNI) to have multiple certificates on a single IP address. This is supported by all modern browsers, but not by the old Apache HTTP client shipped with Android.
: Can someone explain to my how authentication chains work with SSL certificates?
: Can someone explain to me what our options are and if all that needs to be done is for the consultant to add the SSL Cert in the Authentication chain or not?
a. Or must we do something else instead like get another SSL certificate?