Certificate issue: SSL page brings up "you need to set a lock screen pin or password before you can use credential storage" on Android

StackOverflow https://stackoverflow.com/questions/19311094

Question

We've setup the certificates on our server and when requesting https://www.ourserver.org, Android (whatever the browser used) shows a little popup 

You need to set a lock screen pin or password 
before you can use credential storage

Which is wrong, it seems that the phone is trying to register that certificate..?

It does happen only on Android so far it's fine on iPhone and desktop browsers

our Stunnel config:

[www.ourserver.org]
  cert = /etc/stunnel/certs/www.ourserver.org.crt
  key = /etc/stunnel/keys/www.ourserver.org.key
  CAfile = /etc/stunnel/certs/www.ourserver.org.intermediate.crt
  accept  = 10.10.54.2:9443
  connect = 10.10.54.2:9444
  verify=1
  xforwardedfor = yes
  TIMEOUTclose = 0

cert file is issued by RapidSSL. The intermediate CAfile contains both: the intermediate certificate first and cert certificate.

Any idea of what went wrong on our certificate config ?

If I go through the process of securing my phone with a lock screen, accessing the same page then shows

No certificates found

The app Chrome has requested a certificate. 
Choosing a certificate will let the app use this 
identity with servers now and in the future. The 
app has identified the requesting server as (...), 
but you should only give the app access to the 
certificate if you trust the app. You can install 
certificates from a PKCS#12 file with a .pfx or a 
.p12 extension located in external storage."
Was it helpful?

Solution 2

It's not an Android/Chrome issue. The problem was from the fact that the server was requesting a certificate from the client. For Apache add/change the following parameter in your conf or in your sites definition:

SSLVerifyClient none

OTHER TIPS

This same thing happened to me when I was installing my certificate on my Android Tablet.

  1. Yes, you need to set a lock or pin code (but this can be removed after installing the certificate)
  2. Just copy the .pfx file in your Android phone
  3. On your phone Settings look for Security
  4. Under credential storage (this option might vary depending on your Phone settings), there should be an option to install certificates
  5. Restart your phone

Hope this helps.

This isn't the most secure solution - but it got the job done for me. I had to edit the SSL properties through IIS to ignore client certificates. IIS Setting Change

If removing 'verify=1', then no more certificates are valid at all.

I would suspect this is caused by verify = 1 in your configuration ("Verify peer certificate if present."). This would make your Stunnel server request a client certificate, which would cause the client to check whether it has one in its own keystore.

User interfaces for client-certificate authentication are generally not the most user-friendly, so that would explain the messages you get.

(In addition, Stunnel is probably not the best HTTPS reverse proxy, there are other tools that will know how to deal with HTTP properly, but that's a different matter.)

@maxshuty There are no code changes required. Here's the IIS equivalent to the answer from @Tandled for later IIS versions (which seems to be pretty significantly different)... IIS client authentication. Selecting the Ignore option worked in my case.

I know this should be a comment but I can't comment. I think it's worth putting as an answer all the same.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top