Установка сертификатов для ОС Android/en: различия между версиями

Материал из SmartPlayer
(Новая страница: «{{Note|Relevant only for Android OS|warn}} == '''Self-Signed Certificates''' == Users have a need to add self-signed certificates for Android OS.<br> This process is relatively simple, but it also has its own features and nuances. == '''General Information''' == === '''Terminology''' === A self-signed certificate is a digital certificate that is not issued or verified by a third party, such as a Certificate Authority (CA). Instead, it is created and signed b...»)
 
м (FuzzyBot переименовал страницу Самоподписанные сертификаты для ОС Android/en в Установка сертификатов для ОС Android/en без оставления перенаправления: Часть переводимой страницы Самоподписанные сертификаты для ОС Android.)
 
(не показаны 4 промежуточные версии 1 участника)
Строка 7: Строка 7:
A self-signed certificate is a digital certificate that is not issued or verified by a third party, such as a Certificate Authority (CA). Instead, it is created and signed by the user or organization that uses it.<br>
A self-signed certificate is a digital certificate that is not issued or verified by a third party, such as a Certificate Authority (CA). Instead, it is created and signed by the user or organization that uses it.<br>
Simply put, it is a certificate created by the user or organization that uses it.
Simply put, it is a certificate created by the user or organization that uses it.
<div lang="ru" dir="ltr" class="mw-content-ltr">
=== '''Necessity''' ===
=== '''Необходимость''' ===
The use of self-signed certificates is most commonly used for:
Использование самоподписанных сертификатов чаще всего используются для:
'''Application Testing''' <br>
* '''Тестирование приложений''' <br>
Developers often use self-signed certificates for testing applications before their publication. This allows them to create a secure connection, for example, between the application and the server, without the need to purchase a certificate from a certification authority.
Разработчики часто используют самоподписанные сертификаты для тестирования приложений перед их публикацией. Это позволяет им создать безопасное соединение, например, между приложением и сервером, без необходимости покупки сертификата от удостоверяющего центра.
'''Internal Use'''<br>
* '''Внутреннее использование'''.<br>
In some companies, self-signed certificates are used within internal networks to encrypt data and ensure security.
В некоторых компаниях самоподписанные сертификаты используются во внутренних сетях для шифрования данных и обеспечения безопасности.
=== '''Risks and Limitations''' ===
=== '''Риски и ограничения''' ===
The use of self-signed certificates carries certain risks and difficulties in their use. Key risks include:
Использование самоподписанных сертификатов несет в себе определенные риски и трудности в их использовании. К ключевым рискам можно отнести такие как:
*System distrust.
Недоверие со стороны систем.  
Since self-signed certificates are not verified and not issued by certification authorities, they often trigger security warnings in browsers and applications. This can alarm users.
* Поскольку самоподписные сертификаты не проверяются и не выдаются удостоверяющими центрами, они часто вызывают предупреждения о безопасности в браузерах и приложениях. Это может насторожить пользователей.
*Vulnerability of each certificate.
* Уязвимость каждого сертификата.
The use of self-signed certificates can increase the risk of attacks such as "man-in-the-middle" (MITM), where a malefactor can intercept data between two parties.
Использование самоподписных сертификатов может увеличить риск таких атак, как "man-in-the-middle"(MITM), где злоумышленник может перехватывать данные между двумя сторонами.
{{Note|MITM is a "man-in-the-middle" attack a cyber attack in which a cybercriminal intercepts data being sent between two organizations or people. The purpose of the interception is to steal, eavesdrop, or alter data for some malicious purpose, such as extortion.|warn}}
{{Note|MITM - это атака типа «человек посередине» (MITM) это кибератака, при которой киберпреступник перехватывает данные, пересылаемые между двумя организациями или людьми. Целью перехвата является кража, прослушивание или изменение данных в какой-либо злонамеренной цели, такой как вымогательство денег.
== '''Possible Interactions with Certificates''' ==
|warn}}
=== '''Creating Certificates''' ===
</div>
For the procedure to create a self-signed certificate, refer to the separate instruction: [[Creating Self-Signed SSL Certificates Using the OpenSSL Tool on Ubuntu]]
<div lang="ru" dir="ltr" class="mw-content-ltr">
=== '''Adding Certificates''' ===
== '''Возможные взаимодействия с сертификатами''' ==
If a user needs a certificate for an application to work, they can install it themselves manually. The created certificate will confirm that the application is allowed access to specific functions and data.
=== '''Создание сертификатов''' ===
{{Note|The algorithm described below is relevant for devices running Android OS 9 and higher.|warn}}
С алгоритмом действия для создания самоподписанного сертификата можно в отдельной инструкции: [[Создание самоподписанных сертификатов SSL с помощью инструмента OpenSSL на Ubuntu]]
==== '''Certificate Installation Algorithm''' ====
=== '''Добавление сертификатов''' ===
 
Если пользователю для работы приложения необходим сертификат, он может установить его сам, вручную. Созданные сертификат будет подтверждать, что приложению разрешен доступ к конкретным функциям и данным.
# Open "Settings" on the device.
{{Note|Описаный ниже алгоритм актуален для устройств под управлением Andoid OS 9 и выше.|warn}}
# Go to: "Security and Privacy" > "Additional Security Settings" > "Encryption and Credentials".
==== '''Алгоритм установки сертификата''' ====
# Next, choose "Install Certificates" > "WI-FI Certificate".
# На устройстве необходимо открыть "Настройки".
# Find and click on the menu icon, represented by three horizontal lines.
# Необходим перейти в раздел: "Безопасность и конфиденциальность" > "Дополнительные настройки безопасности" > "Шифрование и учетные данные".
# Select the location where the certificate was saved.
# Далее необходимо выбрать раздел "Установка сертификатов" > "Сертификат WI-FI".
# Click on the file. You may need to enter a password for the key storage and then click "OK".
# Находим и нажимаем на иконку меню, в виде трех горизонтальных полосок.
# Enter the name of the certificate.
# Выбираем место, где был сохранён сертификат.
# Click "OK"
# Нажимаем на файл. Возможно, нужно будет ввести пароль к хранилищу ключей и нажимаем "ОК".
=== '''Deleting Certificates''' ===
# Вводим название сертификата.
Every user can delete a self-signed certificate by finding it in the list of certificates. To do this, you need to:
# Нажимаем "ОК"
# Open the "Settings" application.
</div>
# Click on: "Security and Privacy" > "Additional Security Settings" > "Encryption and Credentials".
<div lang="ru" dir="ltr" class="mw-content-ltr">
# Go to the "Credential Storage" section.
=== '''Удаление сертификатов''' ===
Once in the certificate storage, the following actions can be performed with them:
Каждый пользователь может удалить самоподписанный сертификат, найдя его в списке сертификатов. Для этого необходимо:
* (Not recommended) To delete all certificates on the device, click "Clear all credentials" > "OK".
# Открыть приложение "Настройки".
* (Recommended) To delete specific certificates on the device, click "User Credentials" > select the necessary credentials to delete.
# Нажать: "Безопасность и конфиденциальность" > "Дополнительные настройки безопасности" "Шифрование и учетные данные".
=== '''Notes''' ===
# Необходимо перейти в раздел "Хранилище учетных данных".
'''Using a WI-FI network protected by WPA-Enterprise.'''
Таким образом попав в хранилище сертификатов, можно делать уже следующие действия с ними:
You can use WPA/WPA2/WPA3-Enterprise settings for additional protection when connecting.
* (Не рекомендуется) Для удаления всех сертификатов на устройстве необходимо нажать "Очистить все учетные данные" > "ОК".
To do this, you need to:
* (Рекомендуется) Для удаление конкретных сертификатов на устройстве необходимо нажать "Учетные данные пользователя" > выбрать нужные учетные данные для удаления.
* Open the "Settings" application.
=== '''Примечания''' ===
* Click on the "Network & Internet" > "Internet" > "Add Network" section, using the "+" icon.
'''Использование сети WI-FI, защищенную WPA-Enterprise.'''
* Enter the details provided by the network administrator.
Можно при подключении использовать настройки WPA/WPA2/WPA3-Enterprise для дополнительной защиты.
{{Note|Additional information may be required to connect to the network.|warn}}
Чтобы это сделать, нужно:
'''Settings "Do Not Verify".'''
* Открыть приложение "Настройки".
{{Note|The "Do Not Verify" option was removed from EAP-PEAP, EAP-TLS, and EAP-TTLS settings for Android 11 and above.|warn}}
* Нажать на раздел "Сеть и интернет" > "Интернет" > "Добавить сеть ", с помощью иконки "+"
Saved Enterprise settings that disable server certificate authentication verification are not affected. However, you cannot change them or create new ones.<br>
* Ввести данные, полученные у администратора сети.
WPA/WPA2/WPA3-Enterprise settings are available to both individual users and organizational employees.
{{Note|Для подключения к сети могут понадобиться дополнительные данные.|warn}}
== '''Subtleties and Nuances''' ==
'''Настройки "Не проверять".'''
Addressing the issue of collision between server and client.
{{Note|Вариант "Не проверять" был удален из настроек EAP-PEAP, EAP-TLS и EAP-TTLS для Android 11 и выше.|warn}}
In this case, it is necessary to enter the domain name not in its full format, but using "".<br>
Сохраненные настройки Enterprise, которые отключают проверку подлинности сертификата сервера, не затрагиваются. Однако вы не можете изменять их и создавать новые.<br>
''"abcdef.technomedia.ru" - incorrect''<br>
Настройки WPA/WPA2/WPA3-Enterprise доступны как пользователям частным лицам, так пользователям сотрудникам организаций.
''".technomedia.ru" - correct''
== '''Тонкости и нюансы''' ==
Проработка проблемы с коллизией между сервером и клиентом.
В данном случае необходимо вводить доменное имя не в полном формате, а с использованием "*".<br>
''"abcdef.technomedia.ru"- неправильно''<br>
''"*.technomedia.ru"- правильно''
== '''Итоговый результат''' ==
Пользователи умеют создавать и взаимодействовать с самоподписанными сертификатами.
</div>

Текущая версия от 12:37, 30 мая 2024

Relevant only for Android OS

Self-Signed Certificates

Users have a need to add self-signed certificates for Android OS.
This process is relatively simple, but it also has its own features and nuances.

General Information

Terminology

A self-signed certificate is a digital certificate that is not issued or verified by a third party, such as a Certificate Authority (CA). Instead, it is created and signed by the user or organization that uses it.
Simply put, it is a certificate created by the user or organization that uses it.

Necessity

The use of self-signed certificates is most commonly used for: Application Testing
Developers often use self-signed certificates for testing applications before their publication. This allows them to create a secure connection, for example, between the application and the server, without the need to purchase a certificate from a certification authority. Internal Use
In some companies, self-signed certificates are used within internal networks to encrypt data and ensure security.

Risks and Limitations

The use of self-signed certificates carries certain risks and difficulties in their use. Key risks include:

  • System distrust.

Since self-signed certificates are not verified and not issued by certification authorities, they often trigger security warnings in browsers and applications. This can alarm users.

  • Vulnerability of each certificate.

The use of self-signed certificates can increase the risk of attacks such as "man-in-the-middle" (MITM), where a malefactor can intercept data between two parties.

MITM is a "man-in-the-middle" attack — a cyber attack in which a cybercriminal intercepts data being sent between two organizations or people. The purpose of the interception is to steal, eavesdrop, or alter data for some malicious purpose, such as extortion.

Possible Interactions with Certificates

Creating Certificates

For the procedure to create a self-signed certificate, refer to the separate instruction: Creating Self-Signed SSL Certificates Using the OpenSSL Tool on Ubuntu

Adding Certificates

If a user needs a certificate for an application to work, they can install it themselves manually. The created certificate will confirm that the application is allowed access to specific functions and data.

The algorithm described below is relevant for devices running Android OS 9 and higher.

Certificate Installation Algorithm

  1. Open "Settings" on the device.
  2. Go to: "Security and Privacy" > "Additional Security Settings" > "Encryption and Credentials".
  3. Next, choose "Install Certificates" > "WI-FI Certificate".
  4. Find and click on the menu icon, represented by three horizontal lines.
  5. Select the location where the certificate was saved.
  6. Click on the file. You may need to enter a password for the key storage and then click "OK".
  7. Enter the name of the certificate.
  8. Click "OK"

Deleting Certificates

Every user can delete a self-signed certificate by finding it in the list of certificates. To do this, you need to:

  1. Open the "Settings" application.
  2. Click on: "Security and Privacy" > "Additional Security Settings" > "Encryption and Credentials".
  3. Go to the "Credential Storage" section.

Once in the certificate storage, the following actions can be performed with them:

  • (Not recommended) To delete all certificates on the device, click "Clear all credentials" > "OK".
  • (Recommended) To delete specific certificates on the device, click "User Credentials" > select the necessary credentials to delete.

Notes

Using a WI-FI network protected by WPA-Enterprise. You can use WPA/WPA2/WPA3-Enterprise settings for additional protection when connecting. To do this, you need to:

  • Open the "Settings" application.
  • Click on the "Network & Internet" > "Internet" > "Add Network" section, using the "+" icon.
  • Enter the details provided by the network administrator.
Additional information may be required to connect to the network.

Settings "Do Not Verify".

The "Do Not Verify" option was removed from EAP-PEAP, EAP-TLS, and EAP-TTLS settings for Android 11 and above.

Saved Enterprise settings that disable server certificate authentication verification are not affected. However, you cannot change them or create new ones.
WPA/WPA2/WPA3-Enterprise settings are available to both individual users and organizational employees.

Subtleties and Nuances

Addressing the issue of collision between server and client. In this case, it is necessary to enter the domain name not in its full format, but using "".
"abcdef.technomedia.ru" - incorrect
".technomedia.ru" - correct