I am trying to test out all aspects of the network security configuration capability of the N Developer Preview. I have most of it working, but I am stumped by the self-signed certificate scenario.
According to the docs, Android N should be happy with a PEM or DER file, as it is for other certificate validation scenarios. However, I do not work with self-signed certificates much, and my attempts to get this working keep running into certificate path validation exceptions.
For testing, I am using thin as the server, running on my development machine, reachable by an N emulator. The self-signed certificate works for browsers on my development machine, and if I switch to running thin sans SSL, apps can reach the server just fine. So, it's not a connectivity issue.
I created the self-signed certificate using the instructions on this site:
sudo openssl genrsa -out "/etc/[webserver]/ssl/example.key" 2048
sudo openssl req -new -key "/etc/[webserver]/ssl/example.key"
-out "/etc/[webserver]/ssl/example.csr"
sudo openssl x509 -req -days 365 -in "/etc/[webserver]/ssl/example.csr"
-signkey "/etc/[webserver]/ssl/example.key"
-out "/etc/[webserver]/ssl/example.crt"
According to this Stack Overflow answer, the example.crt file is a PEM file. Elsewhere, I see instructions for creating a "combined PEM" file. However, I tried both of these, with no luck.
In terms of the network security configuration stuff, I have tried both <domain-config> and <debug-overrides>. The latter looks like:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="@raw/selfsigned"/>
</trust-anchors>
</debug-overrides>
</network-security-config>
But, I get the validation error in either case.
What exactly should we be putting in as a PEM or DER file, as a raw resource, that makes this work?
See Question&Answers more detail:
os 
