50.2. Certificates

  1. Android cannot create its own certificates. This is therefore done by makecert on a PC.

    Download the "Tool to create certificates" (makecert) from the Intra2net system under Information > Download, and unpack it into a directory on your computer.

  2. Start the makecert batch file.

    C:\makecert>makecert
    Validity of the new certificate:
    1. one year
    2. two years
    3. three years
    4. four years
    5. five years
    Your choice: 1
    
                
    C:\makecert>openssl req -x509 -newkey rsa:2048 -days 1825 -new -nodes -config 
    openssl.cnf -outform PEM -keyform PEM -keyout privatekey.pem -out newcert.cer
    Using configuration from openssl.cnf
    Loading 'screen' into random state - done
    Generating a 2048 bit RSA private key
    ........................+++
    ...............................................................+++
    writing new private key to 'privatekey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
  3. Now enter the client data. For some fields there is a default value in square brackets. If you want to use it, just press Return. Do not use umlauts or other special characters, as otherwise problems may occur. The "common name" (or "computer name" on the Intra2net system) must be unique and must not be reused for other clients or for a CA.

    Country Name (2 letter code) []:
    State or Province Name (full name) []:
    Locality Name (eg, city) []:
    Organization Name (eg, company) []:Firma GmbH
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:Android Mueller
    Email Address []:
    
    C:\makecert>openssl pkcs12 -export -in newcert.cer -inkey privatekey.pem 
    -out newcert.p12
    Loading 'screen' into random state - done
  4. Select a export password that protects the key file on its way to the VPN client on the device. The password must be at least 4 characters long.

    Enter Export Password:
    Verifying password - Enter Export Password:
    
    C:\makecert>del privatekey.pem
  5. The key bundle for the client is now in PKCS#12 format in the newkey.p12 file, the certificate for the Intra2net system (PEM format) in newkey_cert.cer file.

  6. The client's certificate will now be made available to the Intra2net system. To do this, open the certificate file (newkey_cert.cer) with a text editor (e.g. Wordpad) and copy the entire contents of the file to the clipboard.

  7. In the Intra2net system open the menu System > Keys > Foreign keys and create a new key. Enter a name for the key (e.g. the name of the employee) and then paste the certificate data from the clipboard into the field Copy & paste certificate.

  8. Next we will prepare the Intra2net system certificate for import to Android. To do this, open the System > Keys > Own Keys menu and select the certificate you want to use for the connection. It is advisable to use only one certificate for all VPNs on the Intra2net system side. Export the certificate as a .cer file to your local computer.

  9. Now connect the Android device to your computer via USB. Many devices have different connection modes to choose from. Select a mode in which you can exchange files between PC and Android device, such as Media Device (MTP) or drive. If there are any uncertainties, consult the manual of your Android device regarding data exchange between a PC and the device.

  10. Now copy the previously created key bundle (file name newcert.p12) to the root directory of the Android drive (e.g. using Windows Explorer).

  11. With your browser, copy the Intra2net system certificate file you just downloaded into the root directory of the Android drive. The file name is the name assigned in the Intra2net system with the extension .cer.

  12. Disconnect the PC and Android device properly using the remove hardware feature in the Windows taskbar.

  13. On the Android device, open Settings, then Options, and Security.

  14. Under the Credential storage category, and select Install from device storage.

  15. Select the private key (file name newcert.p12) to import it. The export password will be requested, and then it will be possible to assign a suitable name to the certificate.

  16. Select the Intra2net System certificate and assign a suitable name.

  17. The certificates are now exchanged and installed between the devices.