1

I'm setting up a MITM test environment on Android and I need to forge fake certificates that are then presented to the applications. In order to achieve that, I need my CA to be among the Android's trusted ones, which means that I have to manually install my CA's certificate.

And I would like to avoid this particular step.

I was thinking of getting a proper (= buy) certificate, issued by GoDaddy or GeoTrust, which are both trusted by Android. But then I would have to use this certificate as an intermediate CA for the forged fake ones.

Is it possible? Are there any logical/practical restrictions I haven't taken into account?

Sebastiano
  • 12,289
  • 6
  • 47
  • 80

1 Answers1

1

This depends on the extensions set in the certificate and if the software correctly checks them. For example the Certificate Key Usage extensions specifies if the key may be used to sign other certificates. And the Certificate Basic Constraints extension specifies if the subject may act as a certification authority and how many levels of certificates may be below.

A normal SSL certificate should not have the necessary extensions to act as a CA certificate. This means your approach would most likely not work.

Henry
  • 42,982
  • 7
  • 68
  • 84
  • So, there are basically two solutions I'm stuck with. The first one is manually adding my CA and the second one is buying a certificate which may act as an intermediate CA. Can you think of other approaches? Also, do you have any pointer for the second solution? Thanks in advance. – Sebastiano Feb 27 '13 at 15:34
  • 1
    No, I don't have other ideas. If it is easy to get an intermediate CA certificate the whole system would not be very trustworthy. So manually adding trusted certificates seems to be pretty much the only option. – Henry Feb 27 '13 at 16:05
  • Yeah, I get the point. The annoying thing on Android is that certificates are first encrypted with a pin-code or an unlock pattern and then stored. But I didn't want to force the user to bow to this security requirement. – Sebastiano Feb 27 '13 at 17:10