-
-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Ability to use TLS client certificates from the system keystore #1061
Comments
This seems reasonable. I think there's a couple of UX questions that would need to be thought about, such as "How does the user specify a client cert that's in the system store, and which one it is". Depending on device support, I wonder if it's worth migrating the job of client cert certificate to the OS itself, so the "choose a client cert" option just becomes a name picker for the system store. Bit of research needed. |
@growse I think you implemented this, so you can probably close this now. I'm using a self-signed TLS certificate from my system certificate storage and its working perfectly fine |
Interesting - I did some research on this which has started leading me down the conclusion that Android has effectively severely restricted the system keystore and the way in which the user can configure it. As I understand it, users can (in recent Android versions) only add cert/key pairs for the purposes of WiFi or VPN authentication, and there's no API provided on the platform to allow other apps to be able to add, or retrieve these for their own use. @ahmouse15 I think you're referring to being able to use a root certificate that you've imported as a trust anchor for the server that you're connecting to, whereas I think @unrelentingtech is after being able to use the cert store for client cert authentication. More research still needed, but I think it's looking like we're not going to be able to use the system store for client certs - the APIs aren't there to do it, and that looks to be a very deliberate decision from the Android maintainers. |
See openhab/openhab-android#232 for how openHAB implemented it. Seems like it's |
Thanks for pointing me in the right direction. I'll take a look to see how they're doing it. |
I already have a client certificate installed in Android's system keystore (which can be hardware-backed). It is used by e.g. Chromium-based browsers and the openHAB client. OwnTracks should be able to use it too, rather than requiring an app-specific import.
The text was updated successfully, but these errors were encountered: