6

It feels like I searched the whole web already, but all I found are hints on how to accept an invalid or self-signed certificate automatically. (Using custom HttpClient and SSLSocketFactory - I already got that working.)

But what I want for my app is that the user gets a browser-like dialog asking something like "Do you really want to trust this server? Here, have a look at its certificate." (But only if the certificate isn't trusted by the default checks.)

Then the certificate should be put in the app's certificate store, so next time it's accepted automatically.

So what I need to know is:

  • How to download the certificate (chain) for a specific host/port combination (to be able to show it to the user)?
  • How to store the certificate in a way so I can load it in a KeyStore later?

This is my planned work flow in the app:

  1. Send a request to the server with my custom HttpClient. Maybe the certificate is trusted by the system or already in my store (if yes, go to 4).
  2. If the request failed due to SSL issues, show the user the certificate and ask whether to trust this connection.
  3. If the user chose to trust, store the certificate in my store and go to 1.
  4. Hooray, connection is ready to use.

So anyone knows how to do this?

fero
  • 5,652
  • 26
  • 56

1 Answers1

0

Don't disable CA checks and catch the exception when trying to connect to a non CA certificate. When you catch the exception, launch your page for the user to accept/decline. If he accepts, then launch a new connection with CA checks disabled.

Juan Acevedo
  • 1,507
  • 2
  • 18
  • 37
  • Thanks for your answer. Right now, I'm not working on this project anymore. I will get back to your answer once I resumed work. – fero Feb 21 '14 at 07:25