How to programmatically install a CA Certificate (for EAP WiFi configuration) in Android?

Question

My objective: Create an EAP WiFi configuration - including the CA Certificate - in Android programmitcally.

Problem: How do I install a CA Certificate programmatically (and then reference that certificate in the EAP WiFi configuration)?

I found a very useful link already that allows me to create and save EAP WiFi configurations here: How to programmatically create and read WEP/EAP WiFi configurations in Android?

However this assumes that you have already installed the CA Certificate on the device. I would like to install the certificate within my app - either from the resources in the app, or sent from a server.

Is this even possible? (Rooting is not an option in this case.) If so, how?

Additional info...

I also found a way to add a certificate to a KeyStore: https://stackoverflow.com/a/4490543/1172101

However this is used specifically for creating a secure socket and connecting via HTTPS. I want to use the certificate for WiFi.

---

Unfortunately, I have yet to find a way to install a CA Certificate programmatically - from within the app.

However, it is possible to install a certificate via the Web browser in Android. Thus, the solution (for now) is to: Launch an intent to open a URL in the Web browser that goes directly to the CA certificate.

This works but there are some challenges:

• The user must name the certificate. This is a challenge because we are adding the WiFi configuration programmitically. Thus we have to ask the user to give the certificate the same name.
• The user must enter a password. If they don't have a password set up, the user will create one and enter it twice. If they have set a security password, the user will have to remember that same password and enter it.
• Assuming the user successfully completes these steps, he is left hanging in the browser.

This leads to a few questions:

• From my app, is there a way to force a name for the certificate that the user installs via the browser?
• From my app, is there any way to know when the certificate installation has completed and then give focus back to my app?

Just let me know if you need any clarification.

Answer 1

You cannot install it directly since non-system applications don't have access to the key store. On ICS, there is an API for this KeyChain.createInstallIntent() that would launch a system dialog asking the user whether they want to install the certificate. On pre-ICS you can achieve the same thing by launching the install intent using the component name directly (this may or may not work on all devices though). Going through the browser is actually a roundabout way of doing the same thing.

As for your questions:

1. you cannot specify/force a name. Why do you care about the actual name?
2. Not really through the browser. If you use the system intent, you can return to your activity and will get a callback if you use startActivityForResult().

Update: Android 4.3 has WifiEnterpriseConfig which both creates a profile and installs keys and certificates in the system credential store. You only need the CHANGE_WIFI_STATE permission.

Answer 2

I am currently looking to solve the same issues. The best thing that I have found is KeyChain.choosePrivateKeyAlias() allowing the user to select which certificate to use for the SSL. From there you can retrieve the Alias name and pass it to the enterprise wifi configuration.

Answer 3

I'm looking for the same... as for your question, @Nikolay:

you cannot specify/force a name. Why do you care about the actual name?

The EAP profile needs the name of the already-installed-CA. If you look at the example in part 4, you can specify:

final String ENTERPRISE_CA_CERT = "";

In the example, the profile does not use the CA name, but that could be the case for other EAP profiles.