Установка сертификатов для ОС Android/en: различия между версиями

Материал из SmartPlayer
(Новая страница: «=== '''Necessity''' === The use of self-signed certificates is most commonly used for: '''Application Testing''' <br> Developers often use self-signed certificates for testing applications before their publication. This allows them to create a secure connection, for example, between the application and the server, without the need to purchase a certificate from a certification authority. '''Internal Use'''<br> In some companies, self-signed certificates are...»)
(Новая страница: «== '''Possible Interactions with Certificates''' == === '''Creating Certificates''' === For the procedure to create a self-signed certificate, refer to the separate instruction: Creating Self-Signed SSL Certificates Using the OpenSSL Tool on Ubuntu === '''Adding Certificates''' === If a user needs a certificate for an application to work, they can install it themselves manually. The created certificate will confirm that the application is allowed access...»)
Строка 20: Строка 20:
The use of self-signed certificates can increase the risk of attacks such as "man-in-the-middle" (MITM), where a malefactor can intercept data between two parties.
The use of self-signed certificates can increase the risk of attacks such as "man-in-the-middle" (MITM), where a malefactor can intercept data between two parties.
{{Note|MITM is a "man-in-the-middle" attack — a cyber attack in which a cybercriminal intercepts data being sent between two organizations or people. The purpose of the interception is to steal, eavesdrop, or alter data for some malicious purpose, such as extortion.|warn}}
{{Note|MITM is a "man-in-the-middle" attack — a cyber attack in which a cybercriminal intercepts data being sent between two organizations or people. The purpose of the interception is to steal, eavesdrop, or alter data for some malicious purpose, such as extortion.|warn}}
<div lang="ru" dir="ltr" class="mw-content-ltr">
== '''Possible Interactions with Certificates''' ==
== '''Возможные взаимодействия с сертификатами''' ==
=== '''Creating Certificates''' ===
=== '''Создание сертификатов''' ===
For the procedure to create a self-signed certificate, refer to the separate instruction: [[Creating Self-Signed SSL Certificates Using the OpenSSL Tool on Ubuntu]]
С алгоритмом действия для создания самоподписанного сертификата можно в отдельной инструкции: [[Создание самоподписанных сертификатов SSL с помощью инструмента OpenSSL на Ubuntu]]
=== '''Adding Certificates''' ===
=== '''Добавление сертификатов''' ===
If a user needs a certificate for an application to work, they can install it themselves manually. The created certificate will confirm that the application is allowed access to specific functions and data.
Если пользователю для работы приложения необходим сертификат, он может установить его сам, вручную. Созданные сертификат будет подтверждать, что приложению разрешен доступ к конкретным функциям и данным.
{{Note|The algorithm described below is relevant for devices running Android OS 9 and higher.|warn}}
{{Note|Описаный ниже алгоритм актуален для устройств под управлением Andoid OS 9 и выше.|warn}}
==== '''Certificate Installation Algorithm''' ====
==== '''Алгоритм установки сертификата''' ====
 
# На устройстве необходимо открыть "Настройки".
# Open "Settings" on the device.
# Необходим перейти в раздел: "Безопасность и конфиденциальность" > "Дополнительные настройки безопасности" > "Шифрование и учетные данные".
# Go to: "Security and Privacy" > "Additional Security Settings" > "Encryption and Credentials".
# Далее необходимо выбрать раздел "Установка сертификатов" > "Сертификат WI-FI".
# Next, choose "Install Certificates" > "WI-FI Certificate".
# Находим и нажимаем на иконку меню, в виде трех горизонтальных полосок.
# Find and click on the menu icon, represented by three horizontal lines.
# Выбираем место, где был сохранён сертификат.
# Select the location where the certificate was saved.
# Нажимаем на файл. Возможно, нужно будет ввести пароль к хранилищу ключей и нажимаем "ОК".
# Click on the file. You may need to enter a password for the key storage and then click "OK".
# Вводим название сертификата.
# Enter the name of the certificate.
# Нажимаем "ОК"
# Click "OK"
</div>
<div lang="ru" dir="ltr" class="mw-content-ltr">
<div lang="ru" dir="ltr" class="mw-content-ltr">
=== '''Удаление сертификатов''' ===
=== '''Удаление сертификатов''' ===

Версия от 16:33, 23 ноября 2023

Relevant only for Android OS

Self-Signed Certificates

Users have a need to add self-signed certificates for Android OS.
This process is relatively simple, but it also has its own features and nuances.

General Information

Terminology

A self-signed certificate is a digital certificate that is not issued or verified by a third party, such as a Certificate Authority (CA). Instead, it is created and signed by the user or organization that uses it.
Simply put, it is a certificate created by the user or organization that uses it.

Necessity

The use of self-signed certificates is most commonly used for: Application Testing
Developers often use self-signed certificates for testing applications before their publication. This allows them to create a secure connection, for example, between the application and the server, without the need to purchase a certificate from a certification authority. Internal Use
In some companies, self-signed certificates are used within internal networks to encrypt data and ensure security.

Risks and Limitations

The use of self-signed certificates carries certain risks and difficulties in their use. Key risks include:

  • System distrust.

Since self-signed certificates are not verified and not issued by certification authorities, they often trigger security warnings in browsers and applications. This can alarm users.

  • Vulnerability of each certificate.

The use of self-signed certificates can increase the risk of attacks such as "man-in-the-middle" (MITM), where a malefactor can intercept data between two parties.

MITM is a "man-in-the-middle" attack — a cyber attack in which a cybercriminal intercepts data being sent between two organizations or people. The purpose of the interception is to steal, eavesdrop, or alter data for some malicious purpose, such as extortion.

Possible Interactions with Certificates

Creating Certificates

For the procedure to create a self-signed certificate, refer to the separate instruction: Creating Self-Signed SSL Certificates Using the OpenSSL Tool on Ubuntu

Adding Certificates

If a user needs a certificate for an application to work, they can install it themselves manually. The created certificate will confirm that the application is allowed access to specific functions and data.

The algorithm described below is relevant for devices running Android OS 9 and higher.

Certificate Installation Algorithm

  1. Open "Settings" on the device.
  2. Go to: "Security and Privacy" > "Additional Security Settings" > "Encryption and Credentials".
  3. Next, choose "Install Certificates" > "WI-FI Certificate".
  4. Find and click on the menu icon, represented by three horizontal lines.
  5. Select the location where the certificate was saved.
  6. Click on the file. You may need to enter a password for the key storage and then click "OK".
  7. Enter the name of the certificate.
  8. Click "OK"

Удаление сертификатов

Каждый пользователь может удалить самоподписанный сертификат, найдя его в списке сертификатов. Для этого необходимо:

  1. Открыть приложение "Настройки".
  2. Нажать: "Безопасность и конфиденциальность" > "Дополнительные настройки безопасности" "Шифрование и учетные данные".
  3. Необходимо перейти в раздел "Хранилище учетных данных".

Таким образом попав в хранилище сертификатов, можно делать уже следующие действия с ними:

  • (Не рекомендуется) Для удаления всех сертификатов на устройстве необходимо нажать "Очистить все учетные данные" > "ОК".
  • (Рекомендуется) Для удаление конкретных сертификатов на устройстве необходимо нажать "Учетные данные пользователя" > выбрать нужные учетные данные для удаления.

Примечания

Использование сети WI-FI, защищенную WPA-Enterprise. Можно при подключении использовать настройки WPA/WPA2/WPA3-Enterprise для дополнительной защиты. Чтобы это сделать, нужно:

  • Открыть приложение "Настройки".
  • Нажать на раздел "Сеть и интернет" > "Интернет" > "Добавить сеть ", с помощью иконки "+"
  • Ввести данные, полученные у администратора сети.
Для подключения к сети могут понадобиться дополнительные данные.

Настройки "Не проверять".

Вариант "Не проверять" был удален из настроек EAP-PEAP, EAP-TLS и EAP-TTLS для Android 11 и выше.

Сохраненные настройки Enterprise, которые отключают проверку подлинности сертификата сервера, не затрагиваются. Однако вы не можете изменять их и создавать новые.
Настройки WPA/WPA2/WPA3-Enterprise доступны как пользователям частным лицам, так пользователям сотрудникам организаций.

Тонкости и нюансы

Проработка проблемы с коллизией между сервером и клиентом. В данном случае необходимо вводить доменное имя не в полном формате, а с использованием "*".
"abcdef.technomedia.ru"- неправильно
"*.technomedia.ru"- правильно

Итоговый результат

Пользователи умеют создавать и взаимодействовать с самоподписанными сертификатами.