I'm trying to use certificate pinning on Android with Retrofit. I'm trying to evaluate a valid Verisign-signed certificate.
I get the following error:
HTTP FAILED: javax.net.ssl.SSLPeerUnverifiedException: Failed to find a trusted cert that signed Certificate.
Why can't the certificate pinner not evaluate against the device's CA root certs? Does it not have access to the device trust? Or perhaps the device trust does not contain the whole certificate chain. But then why doesn't my SSL communication fail?
// Pin Certificate
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("www.mydomain.com", "sha256/somerandompublickeystring")
.build();
// To handle self-signed cert
OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder();
OkHttpClient client = clientBuilder.connectTimeout(120, TimeUnit.SECONDS)
.writeTimeout(120, TimeUnit.SECONDS)
.readTimeout(120, TimeUnit.SECONDS)
.certificatePinner(certificatePinner)
.build();
Found the answer. I can get a hold of the Root trust as shown below and use that in the sslSocketFactory call. This worked for me.
}