Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

ServiceNow Mobile App SSL Certificate Error - Android

Go to solution
Ant1
Giga Guru

‎09-06-2017 06:42 PM

We've just updated our SSO IDP in ServiceNow and now I've noticed that when trying to access ServiceNow via the Android mobile app, i'm getting an error.   The error reads "SSL Certificate Error.   Certificate authority not trusted."   On our previous SSO configuration, my mobile app was working without issues.   So far i've noticed this just for myself, and my colleague, who is also on android, is not receiving the same error.   He is able to log in just fine via our new IDP.   I've uninstalled the app completely and reinstalled and I am still having the same issue.   All of our instances have been migrated to our new IDP and I cannot connect to any of them via the app.   Access through desktops and via browser on the phone works, however.

Thanks,

Anthony A.

Screenshot_20170906-193345.png

Labels:
Preview file
54 KB
0 Helpfuls
  • 4,973 Views
1 ACCEPTED SOLUTION

Go to solution
vab_13
ServiceNow Employee
ServiceNow Employee

‎09-06-2017 06:51 PM

The problem is with the IDP certificate (ie ADFS server) which might not be trusted on Android because the intermediate certificate might be missing.


Android is more strict than the others like iOS, MS Window/


You might need to contact your IDP(or ADFS admin) to fix us the certificate problem.



Helpful links:



http://stackoverflow.com/questions/13862908/ssl-certificate-is-not-trusted-on-mobile-only


http://serverfault.com/questions/620544/why-does-android-chrome-say-my-sites-security-certificate-is...






A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.


You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system's root certificate store.


You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver


View solution in original post

0 Helpfuls
6 REPLIES 6

Go to solution
Ant1
Giga Guru

‎09-13-2017 08:51 AM

All of the answers provided by vab.13 and Aditya above are all correct, and i'm also providing the solution below per our enterprise admins for the particular SSO solution that we use (Cloud Access Manager):



Reference Link to info below: https://support.oneidentity.com/cloud-access-manager/kb/186287


Certificate trust issues can occur with mobile browsers and federated service providers when Cloud A...


Certificate trust issues can occur with mobile browsers and federated service providers when Cloud Access Manager serves up an incomplete certificate chain (186287)


  • Title

    Certificate trust issues can occur with mobile browsers and federated service providers when Cloud Access Manager serves up an incomplete certificate chain

  • Description

    Mobile browsers and federated service providers can fail to trust the CAM SSL certificate if it is sent by the CAM server without accompanying signing certificates and where those certificates are not in the Trusted Certificate Authorities store of the client browser or other consumer. This results in the browser issuing a certificate warning and/or blocking access to the CAM site or the federated trust failing.This has been experienced with the Go Daddy G2 certificate chain and the Salesforce OAuth2 API authentication path, however the issue is not necessarily limited to those two.


  • Cause

    If a web server sends an incomplete certificate chain the client browser or other consumer needs to perform extra downloads to retrieve the missing certificates to validate the trust chain; desktop browsers do this reliably but mobile browsers or federated service providers may fail, or not even try, depending on their implementation.

  • Resolution

    Prerequisites:This example uses the OpenSSL tool and Keytool utilities to create a PKCS12 keystore for import into Cloud Access Manager.OpenSSL is available online here: https://www.openssl.org/The Keytool utility is installed with the Cloud Access Manager proxy and can be found at C:\Program files\Dell\Cloud Access Manager Proxy\j2sdk\jre\binYou will also need to have access to the proxy server's file system.Steps:Note: This has to be done for a proxy that has a certificate individually. One can not be copied to another. 1 - Export the existing signed this-server certificate from the Cloud Access Manager proxy cacerts keystore as a PFX - you will be asked for the Source keystore password to complete this task, it is "changeit"; this contains the certificate and private key:keytool -v -importkeystore -srckeystore cacerts -srcalias this-server -destkeystore thisserver.p12 -deststoretype PKCS12The location of the cacerts keystore is "C:\Program Files\Dell\Cloud Access Manager Proxy\j2sdk\jre\lib\security\cacerts"2 - Convert the PKCS12 to PEM format - keeping the private key intact:openssl pkcs12 -in thisserver.p12 -out thisserver.pem -nodes -clcertsBefore adding the required Certificate Authority root and/or intermediate certificate(s) to the chain it may be necessary to convert them to PEM format — only perform this step if the certificates are NOT already in PEM format (e.g. you have a CRT or CERT file) or you will corrupt your chain:

    openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem    The trusted_ca.pem file should be saved in the directory openssl is run from in the cmd prompt. If you cannot find it,please try specifying   a directory e.g.openssl x509 -in trusted_ca.cer -inform DER -out c:\temp\trusted_ca.pem3 - Concatenate the PEM files into a single file on the command line:type thisserver.pem trusted_ca.pem >> thisserverchain.pem4 - Create the PKCS12 keystore (in this example the private key is already contained in the PEM so there is no need to use the -inkey option but if your private key is separate then add '-inkey filename.key' to this command):openssl pkcs12 -export -in thisserverchain.pem -out thisserverchain.p12This keystore can now be uploaded to Cloud Access Manager using the 'Import PKCS12/PFX file' option on the Manage Certificates page of Settings in the Admin UI. The updated certificate will replace your existing certificate if one is already installed.


  • Additional Information

    The trusted_ca.cer file referenced is the intermediate certificate that is provided by your issuer. It gets converted to a .pem file which can be read by the type command. Afterwards it gets converted back to a pkcs12 file so it can be imported into Cloud Access Manager.
0 Helpfuls

Go to solution
vondes
Kilo Contributor

‎03-17-2018 10:06 AM

Is it work with  https://mobile-spy-apps.com mobile recorder on Android? 

0 Helpfuls