Verify certificate type for managed Android devices

For certificates to be accepted as part of a configuration (such as a Wi-Fi configuration) on an Android device, the certificate must be issued and signed by a publicly trusted certificate authority (CA).

To check if your certificate is a CA signed certificate:

1. Run the following command on a machine where OpenSSL is installed:

   openssl x509 -text -noout -in [certificate-name].crt

   Where certificate-name is the name of the certificate file.

2. To find out if the certificate has the proper flag, look for the following information in the resulting payload:

   X509v3 Basic Constraints:

   CA:TRUE

If you are creating your own certificates for this use:

• Ensure that the CA flag is set correctly using an OpenSSL configuration file. The file should have a section similar to the following:

  [ v3_ca ]

  basicConstraints = CA:TRUE

• When creating the certificate, ensure the command include two additional parameters, extfile and extensions:

  -extfile [configuration_file].conf -extensions v3_ca

  Where configuration_file is the name of the configuration file mentioned above.

For complete details, see your OpenSSL documentation.