GUI to add/trust SSL root certs/self signed certs
asked 2013-12-25 20:13:15 +0300
Would be nice to be able to add the Ca root certs or trust a selfsigned cert. This should be a global trust for eg wifi/browser/email client and so on.
5 Answers
answered 2019-02-28 14:46:14 +0300
With recent news of CA snooping request to manage CA root stores should be timely again. I think it is important not only to add but also remove CAs!
answered 2014-01-20 22:52:30 +0300
Alexander Couzens
found a soulution for the XMPP cert Problem --> http://lunarius.fe80.eu/blog/jolla-jabber-certificate.html
answered 2014-01-16 10:44:37 +0300
I think this should be solved by having a proper certificate management in Jolla with UI and all as well as having a ways to securely accept self-signed certificates when they may be needed.
The following is a copy of a question/feature-request I made before, but which was closed as duplicate of this question. Accepting self signed certificates is still open so if you would want to be able to accept/deny certificates in any app (email, XMPP, web browser, etc.) please go and vote for it.
A certificate manager (with UI) to install, modify and delete X.509 certificates on Jolla device is needed.
This certificate manager should be able to handle installing of the both CA and client certificates from files, email attachments, configuration packages or directly from web browser downloads. Mime types could be used for sending certificates always to certificate manager app.
It should also have the capabilities to edit trust settings for all certificates like for example that certain certificates could only verify email servers, web servers, wifi authentication servers or persons and not by default all of them.
Managing certificates should support mass operations so that for example revoking trust from several certificates could be done without having to go through all certificates one-by-one.
No certificates should be above the certificate manager control meaning that also builtin certificates should be able to be deleted or at least distrusted or their scope to be modified (limiting them for example to web site authorisation etc.).
Comments
1
6
This kind of functionality is a part of core platform security, because every app using SSL/TLS needs to be able to use it. The only way to keep it stable and secure is to develop it with the platform. Outsiders cannot participate, they can only follow and that does not work.
Karri Huhtanen ( 2014-01-18 10:58:28 +0300 )editI'll add one more requirement on top of that of Karri's: API to mange the certificates via EMM/MDM platform. Rationale for this are enterprises running WLAN networks with WPA2 Enterprise authentication. That is, they have corporate root certificate they need to mass-deploy to devices at the minimum. Normally they also need something like SCEP on devices to manage certificates more holistically. Apple iOS 6+ and MS WinPhone 8+ have example implementations. Apple being more clean.
Being able to select EAP-AKA as cipher would also permit operators to do WLAN/WiFi offloading more easily by authenticatin the device onto their wireless networks easily.
trivore ( 2015-06-25 20:01:12 +0300 )editanswered 2013-12-25 20:40:56 +0300
For Exchange email this is coming in the next update.
Comments
Did it ask if the user wanted to accept the self-signed certificate or did it just accept it?
Karri Huhtanen ( 2014-01-09 11:08:14 +0300 )editUh, that's bad because it allows man-in-the-middle attacks. The proper way to do this is to add certificate management UI and/or ways for certificate pinning to Jolla.
Karri Huhtanen ( 2014-01-09 11:29:48 +0300 )editStats
Asked: 2013-12-25 20:13:15 +0300
Seen: 2,758 times
Last updated: Feb 28 '19
Update for email app is needed too: at the moment all certs are silently accepted. It means, that SSL security is nonexistent.
ortylp ( 2013-12-25 22:02:02 +0300 )editAlso a user should be able to disable any of the pre-installed CAs on the system.
Ilari Stenroth ( 2013-12-26 01:26:42 +0300 )editThis is a must, but for usability there must be a way to discover (using the browser?) which certs you actually need, and optionally reenable the CA or the single cert for the website/service you use.
ortylp ( 2013-12-26 13:48:46 +0300 )editwhat exactly is the physical location of the CA certs?
AL13N ( 2013-12-26 21:53:36 +0300 )edit/etc/pki/tls/certs
ortylp ( 2013-12-26 23:22:52 +0300 )edit