The Samsung stock Email application supposedly allows the use of such certificates natively. However I am running into problems when I attempt to install my key.
I'm using a PFX file exported from Windows Certificate Manager. When I generate the file using the standard wizard, I have the option of exporting my key and user certificate either with or without the other certificates in the chain of trust.
The complete certificate chain, by the way, is as follows: Private key/Personal Cert --> Intermediate CA (Comodo SHA256 Client Authentication and Secure Email CA) --> Root CA (AddTrust External CA)
When I omit the other certificates in the signing chain when exporting, the PFX just installs my key and my user cert in credential storage. But then everytime I use it to sign or encrypt something in the Email app, I get a nag from the Email app warning me that it could not validate my credentials. That is, Samsung Email app is unable to verify my cert's trust unless the intermediate CA is provided to it.
But frustratingly, when export the PFX file so that it includes the intermediate and root CA's in the chain and install, Android places the Intermediate CA in User folder in the keystore, and treats it as a root CA. That is to say, instead of inheriting trust from the AddTrust Root CA (which is in the default keystore) Android assigns trust to the intermediate CA *explicitly*. And so, despite the fact it's a valid certificate signed by a trusted root authority in the default keystore, Android gives me nearly constant nags about my phone being "monitored by a 3rd party" until I delete the intermediate CA from User Trust. Which of course, breaks the Samsung Email app's ability to verify the certificate chain and yields a nag everytime I send an email.
Anyone else encounter this issue/know of a solution?