Android Device Certificate using JSCEP with Microsoft SCEP (NDES)

[Digistras]

Hi all,

 

I'm handling the support for my clients and they have Android device in their enviroment. They would like to enhance their Android device security by introducing Certificate Authentication with SCEP (NDES) on Server 2008 R2. Their requirement is to use Android device (NOT User) certificate to perform 1st level authentication for Android devices, just like the Computer Certificate in computer systems running Windows OS.

 

I did a search on google and came across JSCEP. I browsed through the features but I'm not very sure if it can be used for Android device certification. So I would like to confirm if JSCEP can:

 

1. Generate a Android device/machine (NOT user) certificate request with Microsoft CA

2. If yes, how can I configure JSECP to do so?

3. Can JSCEP request the Android device/machine certificate trhough a subordinate CA instead of talking to the CA directly? 

 

Any help would be much appreciated. Thanks!

[Ryan Schipper]

Digistras:

How do you intend to distribute the certificates?

If you were hoping enrolment would occur from the device, you are unfortunately out of luck with jscep. Currently, jscep does not work on Android devices. There is an open issue for a compatible version: http://code.google.com/p/jscep/issues/detail?id=64

If you are going to build a client application to perform enrolments and then manually install the device certificates, jscep will be fine.

To address your specific questions:

1) No. You have to generate the initial request in your code and then provide it to the jscep client. See the jscep examples/FAQ pages.

2) This is registry setting on the NDES server, not a jscep option. See the NDES documentation.

3) Again, this is a setting on the NDES server. You need to configure your NDES server to fulfil requests using the Sub CA, rather than the Root CA. See the NDES documentation.

-- Ryan Schipper

--
 
 
 

[Digistras]

Thanks for your prompt reply.

 

If I get you correctly, JSCEP does not work on Android Device, then what device can I use JSCEP on?

[Ryan Schipper]

The jscep library can run on most Java VMs. For instance, the JRE provided by Oracle for Windows, Linux and Mac OS.

Android's Dalvik VM uses different bytecode to the Oracle VM so you would have to recompile. Unfortunately, a key dependency for jscep - called BouncyCastle - is included, but incomplete on the Android platform. Thus, jscep cannot be directly built for Android.

You could always make the necessary code changes for integrating SpongyCastle (as per the bug i included previously) yourself. 

--