Remove All Ads from XDA
H10 Turbo

Samsung Stock Email App, S/MIME Certificates

16 posts
Thanks Meter: 1
By hegelec, Junior Member on 10th December 2017, 05:12 PM
Post Reply Email Thread
I have a Comodo Personal email certificate, which I use for signing and encrypting emails using the S/MIME protocol, over MS Exchange.

The Samsung stock Email application supposedly allows the use of such certificates natively. However I am running into problems when I attempt to install my key.

I'm using a PFX file exported from Windows Certificate Manager. When I generate the file using the standard wizard, I have the option of exporting my key and user certificate either with or without the other certificates in the chain of trust.

The complete certificate chain, by the way, is as follows: Private key/Personal Cert --> Intermediate CA (Comodo SHA256 Client Authentication and Secure Email CA) --> Root CA (AddTrust External CA)

When I omit the other certificates in the signing chain when exporting, the PFX just installs my key and my user cert in credential storage. But then everytime I use it to sign or encrypt something in the Email app, I get a nag from the Email app warning me that it could not validate my credentials. That is, Samsung Email app is unable to verify my cert's trust unless the intermediate CA is provided to it.

But frustratingly, when export the PFX file so that it includes the intermediate and root CA's in the chain and install, Android places the Intermediate CA in User folder in the keystore, and treats it as a root CA. That is to say, instead of inheriting trust from the AddTrust Root CA (which is in the default keystore) Android assigns trust to the intermediate CA *explicitly*. And so, despite the fact it's a valid certificate signed by a trusted root authority in the default keystore, Android gives me nearly constant nags about my phone being "monitored by a 3rd party" until I delete the intermediate CA from User Trust. Which of course, breaks the Samsung Email app's ability to verify the certificate chain and yields a nag everytime I send an email.

Anyone else encounter this issue/know of a solution?
4th January 2018, 10:57 AM |#2  
Senior Member
Flag Melbourne
Thanks Meter: 0
It seems to me that you're confusing Public/Private keys as required for S/Mime and certificates.
You do not install the S/Mime certificates and its keys using the certificate wizard/manager, this only import the certificate and not the keys.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes