We have a BlackBerry app that access a secure web service that uses a SSL Certificate that is not installed on some BlackBerry OS5 devices. This is causing problems for users of our apps who see this message. "You are attempting to open a secure connection, but the server's certificate is not trusted." We can install the cert manually by this method https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO4477&actp=search&viewlocale=en_US&searchid=1328216150785 but this is obviously not a good solution for our customers. Is there a way to package & install the required cert with the app? This cert works fine with iOS, Android, IE, Firefox & Chrome.
asked Feb 3, 2012 at 16:48 HatAndBeard HatAndBeard 1,436 3 3 gold badges 18 18 silver badges 31 31 bronze badgesYou can include the cert X509 in the code bundle as a resource and put it in the key store. But the user will have to manually go into their certificate store and trust it. If the user has not previously used the certificate store this will have the unfortunate side effect of forcing them to pick a password at that point.
The following code will read a certificate from a resource file in PEM format but with the -----BEGIN/END CERTIFICATE----- lines removed. I have used all the elements of this code, but not in this exact configuration. If there are any problems with it I would be happy to try to sort them out.
The certificate won't be trusted so the user will have to manually go into the certificate store application under device Options and "Trust" the certificate. Make sure they understand that they can not revoke the certfificate. That operation can not be undone on the device without wiping and re-installing the OS. The only other option is to re-issue a new certificate.
If anyone knows how to get arround these finiky bits let me know and I will include the solution in this code, or link to wherever it exists now.
X509Certificate _x509; try < // Get an input stream for the certificate in a resource file InputStream rs = getClass().getResourceAsStream("/certificate.pem"); // PEM format is Base64 encoded Base64InputStream b64is = new Base64InputStream(rs); // Create the X509 certificate _x509 = new X509Certificate(b64is); // Clean up. b64is.close(); rs.close(); // if the certificate is self signed this will perform a // verfication check. For non-self signed certificates // one could provide the signer's certificate in another // resource file and validate it with that public key. Other // versions of verify will verify it with a certificate in // a keystore, but then we wouldn't need to do all this. _x509.verify(_x509.getPublicKey()); System.out.println(_x509.getSubjectFriendlyName()); System.out.println(Integer.toHexString(_x509.hashCode())); // Add the certificate to the DeviceKeyStore KeyStore ks = DeviceKeyStore.getInstance(); // Associated data is set to null, but can be used if there is associated // data known. You can use _x509.getStatus() instead of encoding the GOOD // constant, but if the device can not find a revokation or validation list // it will set the status to UNKNOWN which will confuse users. ks.getTicket() // will prompt the user for permission for the program to access the key store. // This may also cause the system to ask the user to set a password, unfortunately // I can't remember, but I don't think it will if there is no private key in the // certificate. ks.set(null, _x509.getSubjectFriendlyName(), _x509, CertificateStatus.GOOD, ks.getTicket() ); >catch (CertificateException ce) < System.out.println(ce.toString()); >catch (CryptoException crypt) < System.out.println(crypt); >catch (IOException ioe)