Situation: I have a Airwatch Installment, that provides the Client with private "User Certificates" that are stored in the User private CA Store. The Certificates should be used when establishing a SSL Connection to a designated https Webserver.
E.g. When i try to access this Webserver via HTTPS and Chrome, Chrome finds the Client Certificate and asks me if i wanna use it (so not directly). By clicking "ok" i can establish the Connection and view the Site.
Problem In the "recent times" this could be solved in custom Apps by providing the Apps themselfs with the physical Certificate and load it on runtime (by creating a Keystore, Trustmanager, and Custom SSLContext) as described here
I though with Android Nougat i could get rid of the "Workaround", by only configuring where the Certificates for this app are located. Its called Network Security Configuration, as described here https://developer.android.com/training/articles/security-config.html
So i Added:
android:networkSecurityConfig="@xml/network_security_config"
in the Android Manifest, and added a XML that looks like this
<network-security-config>
<base-config>
<!-- Trust ONLY the mydomain.com Domain and its Subdomains -->
<domain includeSubdomains="true">mydomain.com</domain>
<trust-anchors>
<!-- Trust preinstalled CAs -->
<certificates src="system"/>
<!-- Additionally trust user added CAs -->
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>
I though using a HttpsURLConnection would automatically use also the User-Certificates if necessary.
Current Situation: Im Still getting this:
javax.net.ssl.SSLHandshakeException: Handshake failed
Question:
1) Do I still have to Create a Custom SSLContext and injecting a Custom Trustmanager with a Custom Keystore ? And If I have to do so, how do I get the User Certificates ? The Defautl System CAs can be easyly initialised via KeyStore.getInstance("AndroidCAStore"); but how to get the Keys from the User Specific Store to use them in the SSLContext ?
3) I didn't find any example in the Web how to Use a HttpsConnection with Client Certificates that are stored in the User Keystore on Android with Nougat or higher, any hints ?