This is a rough guide to installing a Windows CA certificate on your Android phone so that you can connect to an 802.1x secured wireless access point authenticated via IAS. I’m sure there are bits that could be clarified or expanded upon – please let me know via the comments.
- Get a user certificate on your PC, then export using the Certificates snap-in module. Make sure you include the private key and all certificates in the path.
- Rename the file to *.p12 and put it on the SD card.
- In Android, go to Settings > Location & Security > Install from SD card. It should find the file and prompt you for the password you used to secure it when exporting. For the name of the certificate, use the user’s AD account name, e.g. david.rendall.
- You will also be prompted to set a password for secure storage. This is equivalent to a password safe or the Mac OS keychain – you set a password on an encrypted store which applications can then request access to. You should use whatever password the end-user wants as they will have to use it in future.
- Go back to top level of Settings and choose Wi-Fi Settings.
- You should see one the access points listed (assuming you are in range). Tap on it and choose the following options: EAP method is TLS; Phase 2 authentication is None; CA Certificate and User certificate are both set to the certificate you installed above, which should be listed; identity is the user’s AD account name e.g. david.rendall. The other fields can be left blank.
- It should be working now. I found that it doesn’t always connect automatically, I suspect because you have to put in the password to open the credential store. If this happens, you can still connect manually by going into Wi-Fi Settings, tap on the network you want and then press the Connect button. You may then be asked for your crential store password, but after entering the password you should be connected.
Update 2012-08-29: Alternatively, you can specify separate certificates for the user and CA. First you need to create the user cert as above, but don’t include all certificates in the path. Then download the CA cert and rename the file .CRT. Copy both files to your SD card. In Android, go to Install from SD card and this time you will get a choice of two files to install. Install them both. Then connect to the wifi as above, but specify the CRT as the CA cert and the P12 as the user cert.
Update 2013-09-11: I now have an Android device which has a built-in SD card, but also an external SD card reader slot. I tried to install a certificate on this device from an external SD card, but it couldn’t find a certificate file. This is because Android only looks at the internal SD card, not the second, external one. So you have to copy your certificate file from the external SD card to the root of the internal one. What a mess.
Update 2013-09-11: I’ve been unable to get devices with Android 4.1 – 4.2 working with EAP-TLS authentication for wifi. If you have better luck, please let me know how you did it! PEAP-MSCHAPv2 works OK.
11 comments
Comments feed for this article
August 18, 2011 at 3:14 pm
raj
not working in Android 2.2.2 , dosent recognize *.p12 format, only *.cer format takes but dosent list in wifi settings
September 8, 2011 at 11:47 am
Anonymous
[…] […]
September 12, 2011 at 3:55 pm
Tom
Got the same problem as raj. Able to import the *.cer file but nog able to select it in wifi settings. Android 2.3.3.
November 17, 2011 at 7:16 pm
Amir
Thank you so much! it worked just fine for me on Droid Bionic 2.3.4
November 17, 2011 at 7:23 pm
Amir
There is 2 ways to import Certs from your SD Card:
Go to Settings > Location & Security > Install from SD card:
On my phone I get prompted with 2 choices to complete this action;
Certificate Installer and Certificate Manager; if you choose Certificate Manager it only shows the .cer one, but if I choose Certificate Installer it automatically opens the .p12 file and it asks for the password. Hope this help!
December 23, 2011 at 7:29 am
Shashank Hegde
I am having some questions here.. and my situation is i can connect to it but there is no internet connection.
If i want download the certificates where to find the USER certificates, I found trusted root certificates. But I cant export in .p12 format . If i export in .cer or .crt format I will not get private key.
If I change the extension to .p12 while installing I will be needing the password. But I dont know the password.
December 23, 2011 at 10:17 am
davidrendall
If you run mmc and load the certificates snap-in, user certificates should be in Certificates – Current User > Personal > Certificates. It sounds like maybe you don’t have a certificate installed? Probably better talk to your IT support team to ask about that…
May 30, 2012 at 3:18 am
charlie john
it worked. thank you
August 21, 2012 at 3:47 pm
Jonesy
Works fine – thanks David
September 15, 2012 at 8:28 pm
hemant.malve@gmail.com
Many thanks it worked fine for me ….
July 31, 2013 at 8:18 am
hendrawiratama
Reblogged this on hendra wiratama and commented:
Mantappp