This is a rough guide to installing a Windows CA certificate on your Android phone so that you can connect to an 802.1x secured wireless access point authenticated via IAS. I’m sure there are bits that could be clarified or expanded upon – please let me know via the comments.

  • Get a user certificate on your PC, then export using the Certificates snap-in module. Make sure you include the private key and all certificates in the path.
  • Rename the file to *.p12 and put it on the SD card.
  • In Android, go to Settings > Location & Security > Install from SD card. It should find the file and prompt you for the password you used to secure it when exporting. For the name of the certificate, use the user’s AD account name, e.g. david.rendall.
  • You will also be prompted to set a password for secure storage. This is equivalent to a password safe or the Mac OS keychain – you set a password on an encrypted store which applications can then request access to. You should use whatever password the end-user wants as they will have to use it in future.
  • Go back to top level of Settings and choose Wi-Fi Settings.
  • You should see one the access points listed (assuming you are in range). Tap on it and choose the following options: EAP method is TLS; Phase 2 authentication is None; CA Certificate and User certificate are both set to the certificate you installed above, which should be listed; identity is the user’s AD account name e.g. david.rendall. The other fields can be left blank.
  • It should be working now. I found that it doesn’t always connect automatically, I suspect because you have to put in the password to open the credential store. If this happens, you can still connect manually by going into Wi-Fi Settings, tap on the network you want and then press the Connect button. You may then be asked for your crential store password, but after entering the password you should be connected.

Update 2012-08-29:  Alternatively, you can specify separate certificates for the user and CA. First you need to create the user cert as above, but don’t include all certificates in the path. Then download the CA cert and rename the file .CRT. Copy both files to your SD card. In Android, go to Install from SD card and this time you will get a choice of two files to install. Install them both. Then connect to the wifi as above, but specify the CRT as the CA cert and the P12 as the user cert.

Update 2013-09-11: I now have an Android device which has a built-in SD card, but also an external SD card reader slot. I tried to install a certificate on this device from an external SD card, but it couldn’t find a certificate file.  This is because Android only looks at the internal SD card, not the second, external one. So you have to copy your certificate file from the external SD card to the root of the internal one. What a mess.

Update 2013-09-11: I’ve been unable to get devices with Android 4.1 – 4.2 working with EAP-TLS authentication for wifi. If you have better luck, please let me know how you did it! PEAP-MSCHAPv2 works OK.