All geek questions in one place

Certificate Issue: The message “you need to set a screen lock contact or password before you can use credential storage” appears on the SSL page on Android

We installed the certificates on our server, and when you request https://www.ourserver.org Android (regardless of what browser you use) displays a small pop-up window

You need to set a lock screen pin or password before you can use credential storage

What is wrong, it seems that the phone is trying to register this certificate.?

This only happens on Android so far , it is great for iPhone and desktop browsers

our Stunnel configurator:

 [www.ourserver.org] cert = /etc/stunnel/certs/www.ourserver.org.crt key = /etc/stunnel/keys/www.ourserver.org.key CAfile = /etc/stunnel/certs/www.ourserver.org.intermediate.crt accept = 10.10.54.2:9443 connect = 10.10.54.2:9444 verify=1 xforwardedfor = yes TIMEOUTclose = 0

cert file is issued by RapidSSL. The intermediate CAfile contains both: the first intermediate certificate and cert certificate .

Any idea on what went wrong in our certificate configuration?

If I go through the process of protecting my phone using the lock screen, access to the same page, it will be displayed

 No certificates found The app Chrome has requested a certificate. Choosing a certificate will let the app use this identity with servers now and in the future. The app has identified the requesting server as (...), but you should only give the app access to the certificate if you trust the app. You can install certificates from a PKCS#12 file with a .pfx or a .p12 extension located in external storage."
+7
source share
6 answers

This is not an Android / Chrome issue. The problem was that the server was requesting a certificate from the client. For Apache, add / change the following parameter in the definition of your conf or your site:

 SSLVerifyClient none
+2
source

The same thing happened to me when I installed my certificate on my Android tablet.

  • Yes, you need to set a lock code or pin code (but this can be deleted after installing the certificate).
  • Just copy the .pfx file to your Android phone
  • On your phone Security Search Settings
  • In the credential storage (this option may differ depending on the settings of your phone), the ability to install certificates must be installed
  • Reboot the phone.

Hope this helps.

+4
source

If you remove 'verify = 1', then there will be no more certificates at all.

+1
source

This is not the safest solution, but it did for me. I had to change SSL properties through IIS in order to ignore client certificates. Change IIS Settings

+1
source

I suspect this is caused by verify = 1 in your configuration ("Verify the partner certificate, if any."). This will cause your Stunnel server to request a client certificate, which will cause the client to check if it has one in its own keystore.

User interfaces for authenticating a client certificate are usually not the most user-friendly, so they will explain your messages.

(Also, Stunnel is probably not the best reverse HTTPS proxy, there are other tools that will know how to handle HTTP correctly, but that is another matter.)

0
source

@maxshuty No code changes required. Here IIS is equivalent to @Tandled's answer for later versions of IIS (which seems to be significantly different) ... IIS client authentication . Selecting the Ignore option worked in my case.

I know that this should be a comment, but I can not comment. I think it’s still worth putting as an answer.

0
source

Source: https://habr.com/ru/post/955738/

More articles:


All Articles