Login/Register
Certificate issue: SSL page brings up "you need to set a lock screen pin or password before you can use credential storage" on Android
Asked Answered
Solved androidsslhttpscertificatestunnel
A

6

7

We've setup the certificates on our server and when requesting https://www.ourserver.org, Android (whatever the browser used) shows a little popup 

You need to set a lock screen pin or password 
before you can use credential storage

Which is wrong, it seems that the phone is trying to register that certificate..?

It does happen only on Android so far it's fine on iPhone and desktop browsers

our Stunnel config:

[www.ourserver.org]
  cert = /etc/stunnel/certs/www.ourserver.org.crt
  key = /etc/stunnel/keys/www.ourserver.org.key
  CAfile = /etc/stunnel/certs/www.ourserver.org.intermediate.crt
  accept  = 10.10.54.2:9443
  connect = 10.10.54.2:9444
  verify=1
  xforwardedfor = yes
  TIMEOUTclose = 0

cert file is issued by RapidSSL. The intermediate CAfile contains both: the intermediate certificate first and cert certificate.

Any idea of what went wrong on our certificate config ?

If I go through the process of securing my phone with a lock screen, accessing the same page then shows

No certificates found

The app Chrome has requested a certificate. 
Choosing a certificate will let the app use this 
identity with servers now and in the future. The 
app has identified the requesting server as (...), 
but you should only give the app access to the 
certificate if you trust the app. You can install 
certificates from a PKCS#12 file with a .pfx or a 
.p12 extension located in external storage."
Akan answered 11/10, 2013 at 5:49 Comment(2)
I have a similar issue, did you ever resolve this?Leafy
answer from a colleague: we moved to AWS... I'm sad now :(Akan
A
2

It's not an Android/Chrome issue. The problem was from the fact that the server was requesting a certificate from the client. For Apache add/change the following parameter in your conf or in your sites definition:

SSLVerifyClient none
Asteria answered 11/12, 2015 at 17:40 Comment(0)
H
4

This same thing happened to me when I was installing my certificate on my Android Tablet.

  1. Yes, you need to set a lock or pin code (but this can be removed after installing the certificate)
  2. Just copy the .pfx file in your Android phone
  3. On your phone Settings look for Security
  4. Under credential storage (this option might vary depending on your Phone settings), there should be an option to install certificates
  5. Restart your phone

Hope this helps.

Hemorrhage answered 11/10, 2013 at 13:35 Comment(1)
I'm not trying to add a certificate to a phone, you got it wrong! I'm trying to properly setup a SSL connectionAkan
G
2

This isn't the most secure solution - but it got the job done for me. I had to edit the SSL properties through IIS to ignore client certificates. IIS Setting Change

Guess answered 13/11, 2015 at 19:9 Comment(0)
A
2

It's not an Android/Chrome issue. The problem was from the fact that the server was requesting a certificate from the client. For Apache add/change the following parameter in your conf or in your sites definition:

SSLVerifyClient none
Asteria answered 11/12, 2015 at 17:40 Comment(0)
B
1

If removing 'verify=1', then no more certificates are valid at all.

Beset answered 13/10, 2013 at 22:33 Comment(3)
Add as comment instead of answer.Pyrex
What do you mean? verify=1 is to have the server verify client certificates.Unsaddle
I removed the option 'verify=1' and restarted stunnel service, but unfortunately SSL did not work at all by accessing the website on Android and Apple phones.Beset
U
0

I would suspect this is caused by verify = 1 in your configuration ("Verify peer certificate if present."). This would make your Stunnel server request a client certificate, which would cause the client to check whether it has one in its own keystore.

User interfaces for client-certificate authentication are generally not the most user-friendly, so that would explain the messages you get.

(In addition, Stunnel is probably not the best HTTPS reverse proxy, there are other tools that will know how to deal with HTTP properly, but that's a different matter.)

Unsaddle answered 11/10, 2013 at 11:13 Comment(0)
R
0

@maxshuty There are no code changes required. Here's the IIS equivalent to the answer from @Tandled for later IIS versions (which seems to be pretty significantly different)... IIS client authentication. Selecting the Ignore option worked in my case.

I know this should be a comment but I can't comment. I think it's worth putting as an answer all the same.

Ragland answered 25/7, 2019 at 15:28 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.