Created
March 25, 2025 11:59
-
-
Save silverark/af98e3ef295b28f0fa7a4a160bdf0c87 to your computer and use it in GitHub Desktop.
Android Management API PKCS12 certificate INVALID_VALUE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # tl/dr | |
| In the android management API, for a PKCS12 certififcate you have to use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs | |
| ## Details | |
| In the Android Management API you are able to set the network confguration in a policy by using the Open network Configuration (ONC). For an EAP-TLS network you need to set a PKCS12 certificate for the client. | |
| In the compliance details for the policy I was receiving the warning "INVALID_VALUE" for item "onc.Certificates[0]" which related to the clients PKCS12 certificate. | |
| After battling wiht it for a couple of days, I found out Android 8 to 14 only support the old legacy encryption algorithms. | |
| In openssl use the `-legacy` flag as shown below. | |
| ``` | |
| openssl pkcs12 \ | |
| -legacy \ | |
| -export \ | |
| -in cert.crt \ | |
| -inkey cert.key \ | |
| -certfile bundle.pem \ | |
| -out certificate.legacy.pfx | |
| ``` | |
| If you're making the certificates programically here is a list of allowed encryption | |
| **Hash Algorithm**|**Cipher Algorithm**|**Android 9**|**Android 12** | |
| :-----:|:-----:|:-----:|:-----: | |
| (any)|aes-128, aes-192, aes-256|no|no | |
| SHA384, SHA512|3des-pkcs12|no|no | |
| SHA256|3des-pkcs12|yes|no | |
| SHA1|3des-pkcs12|yes|yes | |
| SHA256|rc2-40|yes|no | |
| SHA1|rc2-40|yes|yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment