1. Make sure your password contains only ascii letters and digits, there
may be
some other chars that get encoded to different byte values on the
computer that
creates the .p12 and on the android.
2. ISTR that some other SSL implementations choke on RSA keys with certain
values of the most of least significant bits. I think there is some
obscure openssl
options to avoid those keys, but I don't know if this affects Android.
3. I suspect that some of the .p12 code in Android is no longer being
tested by
Google QA due to an ongoing lawsuit over ownership of one of the test files
previously used for regression testing that part of Android.
On 9/20/2011 6:22 PM, Richard Pickett wrote:
I have attempted several scripts to create a ca and then a client cert
p12 bundle. The p12 is then downloaded on an android device, and it
seems to be hit-and-miss. Some certs work, some certs never work. It
stops at the point where the android is importing the cert and asks
for the password. There's no way to tell it there's no password, so
when I create the client cert I create it with a password. But on the
certs that don't work, the android keeps coming back and asking for
the password over and over.
Maybe you guys can see what I'm doing wrong?
To create the CA:
openssl req \
-new \
-x509 \
-out ca.crt \
-keyout ca.key \
-days 3065
To create the client cert:
openssl req -new -keyout client.key -out client.csr -days 3065
SAN="ipsec.client" openssl x509 -extfile ./x509v3.cnf -extensions
x509v3_FQDN -req -in client.csr -CA ca.crt -CAkey ca.key
-CAcreateserial -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -certfile
ca.crt -name client -out client.p12
If you need the openssl.conf, I can send that along too.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
