Wednesday, May 29, 2013

SSL failure with DSA certificate on ios

This may come handy testing ios > Remote server over SSL.

SSL connection from ios device to a remote server will fail, if the remote server's certificate's algorithm is DSA. I found this during testing and I don't know if Apple has this documented.

My remote server was a Java server, and used JKS as the keystore format. The Java Keytool by defaults creates DSA type certificates.

To test that having the RSA certificate will get me past the issue. I created a new self signed certificate with JDK keytool with RSA type certificate.  Than I converted the certificate to PEM format and ran openssl server with the PEM certificate. I then connected to the openssl server from the safari browser on the ios device and the connection was successful.

You may ask why didn't I directly create the certificate with openssl in the PEM format, well I used keytool to show a collegue how to convert JKS to PEM.


  1. Create a self signed certificate
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
  2. Export JKS to PKCS12

    keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12
  3. Convert PKCS12 to PEM

    openssl pkcs12 -in keystore.p12 -out keystore.pem
  4. Launch a test server with openssl command

    openssl s_server -cert keystore.pem -www
  5. Connect to the server from a browser on iOS or from a remote device

    openssl s_client -connect  host:4433


Tuesday, May 7, 2013

Self signed Cert with Android and iPhone

Often there is a need to put a certificate on the android device (emulator | real)  for testing with SSL. This wil be the case when one needs to use a self signed cert since getting a real CA signed cert is expensive.

The high level steps are :

  1. Export the cert  from your current keystore and put it into a file
  2. Copy the cert file to android device
  3. Run settings app to add it to the trusted certificates.
The caveat it that the exported file from step 1 needs to be in p12 format.

Here are the detailed steps for Android emulator and using the source keystore as JKS.

  1. keytool -importkeystore -srckeystore -destkeystore -deststoretype PKCS12 -srcalias
  2. Start the Android emulator - emulator -avd & - Wait for this to finish
  3. adb - devices will list the android instances it know about, wait for the emulator to show up here as running.
  4. adb push /sdcard/file.p12 - Copies the exported cert file to /sdcard area of Android
  5. Go to Emulator > Settings > Security > Install Trusted Cert from SD card
  6. Type the password that you specified in step 1
  7. You should be good to go.
It is even easier for iPhone. 
  1. Just email the cert from step 1 to an email configured on iphone as an attachment
  2. Open the email from iPhone and click/tap the attachement.