{"id":340,"date":"2016-06-07T08:25:34","date_gmt":"2016-06-07T13:25:34","guid":{"rendered":"http:\/\/jebware.com\/blog\/?p=340"},"modified":"2020-06-05T11:12:39","modified_gmt":"2020-06-05T16:12:39","slug":"self-signed-certificates-with-okhttp-the-right-way","status":"publish","type":"post","link":"https:\/\/jebware.com\/blog\/?p=340","title":{"rendered":"Self-Signed Certificates with OkHttp – the Right Way"},"content":{"rendered":"

Your sysadmin comes to you and says \u201chey, let\u2019s quit using the developmestruction environment<\/a>, I set up this new test server we can test with instead.\u201d Awesome.  This is definitely a good thing for your development.<\/span><\/p>\n

So you switch the URL your app is calling, but now you’re getting see this:<\/span><\/p>\n

\"Screen<\/a><\/p>\n

Why can’t you connect?  Well, SSL certs cost time and money, so a lot of times in internal test and development environments you’ll see self-signed certificates<\/a>.  By default, OkHttp isn’t going to trust those, since they aren’t signed by a known, trusted Certificate Authority (CA).<\/span><\/p>\n

At this point, you may find some StackOverflow answers suggesting that you make a dummy TrustManager that just blindly accepts any SSL certificate.  <\/span>Don\u2019t do that.<\/b>  You may as well disable SSL at that point, because anybody can run a man-in-the-middle attack to read and\/or manipulate your traffic.  Seriously, just don’t.  Even for your test environment.  <\/span><\/p>\n

The good news is, it’s just as easy to fix the right<\/em> way by adding trust for your self-signed certificate.  Here’s all it takes:<\/p>\n

Step 1:<\/strong> Download the .cer file<\/span><\/p>\n

\"1-chrome-broken-lock\"<\/a><\/p>\n

Open the URL in Chrome.  You\u2019ll see the broken lock icon in the address bar; click it. Your goal is to drag the certificate to somplace you can work with it; Chrome will give you a .cer file.  (screenshots are small, click to embiggen)<\/span><\/p>\n

\"1b-chrome-not-private\"<\/a>\"1c-connection-detail\"<\/a><\/p>\n

\"1d-cert\"<\/a><\/p>\n

Step 2:<\/strong> convert to .pem, using this in your terminal (and maybe spend a minute with “man openssl” to see what’s up here – we’re converting from one certificate file format to another)<\/span><\/p>\n

\n
openssl x509 -in server.cer -inform DER -out server.pem -outform PEM<\/span><\/pre>\n<\/blockquote>\n
Step 3:<\/strong> Drop the .pem in your app’s assets folder<\/span><\/p>\n
Step 4a:<\/strong> Here’s how to add that custom cert to OkHttp3<\/span><\/p>\n