Configuring client certificates on Android

Configure the Connections mobile app to allow client certificate authentication on Android devices.

Before you begin

You can also distribute client certificates by using ibmscp links. For more information, see the Importing client certificates by using ibmscp links topic.

About this task

Client certificates are supported on Android versions 4.0.x, 4.2.x, and higher. These versions of Android have a common credential storage that can be accessed by all applications on the device. The Connections mobile app retrieves certificates from the common credential storage.

To import a client certificate, complete the following steps:

Procedure

  1. Append the .ibmmbd extension to the client certificate p12 file so that the Connections mobile app can open the file.
    For example: cert.p12 becomes cert.p12.ibmmbd.
    Tip: A .p12 file follows the PKCS #12 standard for storing cryptography objects as a single file. Each .p12 file bundles a private key with a corresponding X.509 certificate.
    Note: The Connections app uses the common credential storage mechanism, which means that you can also send PKCS #12 certificates to the user as regular .p12 files. When the user taps on the file, Android attempts to import it into the common credential storage.
  2. Distribute the .ibmmbd file to your mobile users. Send the file by email or add it to a website that can be accessed from a mobile device.
  3. Provide the following instruction to your mobile users:
    1. Transfer the .ibmmbd file to your mobile device.
    2. From your device, tap on the .ibmmbd file and select Open in Connections. When prompted, enter the password for the certificate.
    3. Import the certificate. A confirmation message verifies that the certificate was successfully imported.
    4. Open the Connections mobile app and create an account. When prompted, select the certificate that you imported and enter the password.
    Note: If the user's email app cannot open the .ibmmbd file, provide these alternative instructions:
    1. From your email app, save the file to the SD card.
    2. Open Connections and go to Settings.
    3. Select Certificates and then select Import from SD Card. The Connections app scans the SD card for .ibmmbd files. If a valid file is found, Connections imports the client certificate. If no certificates are found, an error message is displayed.
    Note: If the user is using Android 11 and up on his device, perfrom the following steps to install CA certificates:
    1. Open Device Settings.
    2. Go to Security > Encryption and Credentials.
    3. Depending on your device, go to Install from Storage or Install a certificate.
    4. Select CA Certificate.
    5. Accept the warning alert and click on Install anyway.
    6. Search and open the certificate file on the device.
    7. Confirm the certificate installation.

What to do next

When logging in to a server that requires a client certificate, the user is prompted to select a certificate from the common credential storage. If no certificates are found, the user can import one. If there are no valid certificates on the device, the login procedure stops.