Subscribe

Recent Posts

Using EJBs with JRuby on Torquebox

The Future of CalDAV Sync for Android

CalDAV Sync Progress

Using self-signed certs with Calendar Sync for Android

by Brendan Whelan, Wednesday 25th March 2010

UPDATE 14/4/10:
This blog post has been superceded by changes in version 0.9.2.0 of Calendar Sync You can now accept certs without using the method below simply by checking the option "Accept SSL Certificates from untrusted sources" in the advanced connection settings. However, note that enabling this option could expose you to man-in-the-middle attack. You must ensure for yourself that you can trust the server/certificate.

Calendar Sync can connect to servers via secure SSL connections. This works fine for 'big domain' calendar servers if they are signed by one of Android's supported CAs (Certificate Authorities). However private calendar servers' SSL certificates are usually signed by the server itself, or perhaps by a less well-known CA that Android doesn't support by default. In such cases, the error "Not trusted server certificate" appears.

We need a way to make Calendar Sync accept these SSL connections, since many CalDAV calendars are run securely from private servers. Fortunately, there is a way, but it's not pretty. Thanks to Bob Lee for his great blog post about trusting SSL certs in Android. I've reproduced the relevant steps here, and the extra steps necessary to make it work with Calendar Sync.

In short, you do this from your computer, where you have to create an encrypted keystore file which contains the public cert of the CA that issued your server SSL certificate. For self-signed certs, that normally means the CA is your own server's public cert.

1: Download Pre-requisites

Download the Java Runtime if you don't already have it installed.

Download the Bouncy Castle Provider JAR

For this example, let's assume we downloaded bcprov-jdk16-145.jar into the directory c:\temp on the computer. You should download the latest jar, or whichever best matches the version of Java you have installed.

2: Get the CA cert

Get the public certificate for your server or CA. It needs to be in PEM format. A PEM format certificate is just encoded text in a file, wrapped in BEGIN and END CERTIFICATE like this: 

-----BEGIN CERTIFICATE----- 

    [...Some Encoded Text...]

-----END CERTIFICATE----

Where and how to get this file depends on your server or CA.

For a CA, there should be a PEM file of their certificate available to download.

If the certificate is self-signed by the server, you may need to generate a server certificate PEM file. The way you do this depends on your server operating system and the program you used to generate the cert, which is beyond the scope of this article. For example, here's a guide on how to do it with OpenSSL.

Save the PEM cert into a local directory on our computer, e.g. c:\temp\myCACert.pem

3: Create a keystore for the cert in BKS format

Open a command terminal window on your computer and run Java's keytool. This will create a file called CA.bks. 

c:\temp> keytool -import -v -trustcacerts -alias 0 
                 -file myCACert.pem 
                 -keystore CA.bks -storetype BKS 
                 -provider org.bouncycastle.jce.provider.BouncyCastleProvider 
                 -providerpath bcprov-jdk16-145.jar 
                 -storepass myCAPassword

[...]
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing CA.bks]

C:\temp>

4: Copy your root cert keystore to the Android device

Connect your Android phone to the computer in USB Drive mode.
Create a directory on your phone's SD card and copy the keystore file you just created into it: /CalDAVSync/CA/CA.bks

Note: The directory and file name must match this exactly or Calendar Sync will not find it.

5: Tell Calendar Sync to use the cert in the keystore file

Open Calendar Sync and navigate to More->Advanced->Advanced Connection.

Check to Enable use of the Self-Certified Cert Authority.

Enter the password you used when creating the keystore (which is myCAPassword in the example above).

Save the new settings and run Synchronization to test connection to your calendar server.

Note: You must turn off USB drive if connected to the computer before synchronizing again. Calendar Sync cannot read the SD card while the phone is in USB drive mode, and the "Not trusted server certificate" will persist.

Note: If you ever change your CalDAV Calendar connecion to a different SSL server location, remember to uncheck Use Self-certified Cert Authority again, or it may not connect.

That's it. It's not straightforward. Wouldn't it be great if Android could add trusted certificates system-wide? Maybe in a future release Google?