4

Suggestions on easy distribution/installation of self signed certificates & roots to mobile devices

I am a developer at a government agency in a developing country that has a web application with a number of web-forms for data entry through which customers can submit "electronic forms" to the agency.

For legal purposes, the forms have to be digitally signed when submitted to be considered valid. This is accomplished at the moment via a client side Digital Certificate installed in the customers PC's browser. If forms are not digitally signed then alternatively customers have to submit the forms manually with a physical signature.

The web application at the moment has ActiveX controls that restricts it to only be capable of running on Internet Explorer browsers. They however want to upgrade it to a HTML5/Javascript application that can work on ios and android mobile devices.

Funds are short so they have a open source Certificate Authority through which they generate self signed certificates and email them to customers for installation in the customers browsers on PC's.

The distribution and installation of certificates on PC's right now however is a real hassle at times, involving many emails and phone calls as the customers are not very technically adept beyond typical word processing and excel usage - which is perfectly understandable but presents a support challenge. Then from what I have read, getting client side digital certificates installed in mobile devices is even harder...involving the installation in a keystore.

Are there any suggestions on an easy and low hassle way for the digital certificates to be installed to end customers with mobile devices. I am looking for technical suggestions to reduce the effort for end customers (e.g. just click on a link)...which I know may increase the necessary infrastructure or programming effort on the issuing end to accomplish all of that seamlessly.

I am also aware that different devices/operating systems may need custom methods (i.e. one method for android, and another for ios).

Any suggestions would be most welcome.

darz
  • 41
  • 2
  • 1
    I don't see why ActiveX is required or why on earth you think that you need to taint the PKI used by every machine subject to this "service". This strikes me as such an serious design fail, that you will probably better off starting from scratch. – rook Dec 02 '13 at 01:20
  • 1
    @Rook - Given that HTML 5's [keygen enrollment is a fail](http://security.stackexchange.com/q/27955/396) Microsoft created a browser object to make it better in early 2000's. It's likely that his deployment is based on this object. – makerofthings7 Dec 02 '13 at 01:26
  • for what it's worth, Microsoft created a browser plugin (XMLHTTPRequest) that later became the foundation of all AJAX across all browsers. It's a shame that nobody else adopted this standard or created anything better. – makerofthings7 Dec 02 '13 at 01:28
  • @Rook - The ActiveX is used in the existing version of the application (a very old application) which only works on Microsoft based PC's. This is the limiting constraint for which they seek an upgrade that can work on mobile devices. ActiveX is absolutely going away in the new design. However the question is what to replace it with that can "seamlessly" install digital certificates in mobile devices. – darz Dec 02 '13 at 04:01
  • Use [Google Apps Mobile Management](https://support.google.com/a/answer/1734200) – atdre Jun 10 '14 at 15:40

1 Answers1

1

Your options are limited but, as I see it, you do have some possibilities.

  1. Install the certificate for the users. On the day they come in to do the training - or when they're next in the office - you borrow their phone for 5 minutes and install the certificate for them.
  2. You write very clear instruction on how to install a certificate. On Android it's not that hard to install so you should be able to write a single page document which shows them how to do it.
  3. Write an App which is simply a web-view with the certificate pre-installed.
  4. Use a certificate installer app - like https://play.google.com/store/apps/details?id=it.nicola_amatucci.android.certificate_installer

My preferred option will be #1 - that way you can check the phone is suitable, run a virus check on it, and ensure that everything is set up properly.

Terence Eden
  • 633
  • 1
  • 5
  • 7