HTTPS Validate Certificate

Hello,

I am calling web service from my android client via https. I got to validate the certificate receive from server side. How do I do that ? At present this is my code that I use to call a web service.
private static String SendPost(String url, ArrayList<NameValuePair> pairs) { // url = "https://....." errorMessage = ""; String response = ""; DefaultHttpClient hc=new DefaultHttpClient(); ResponseHandler <String> res=new BasicResponseHandler(); HttpPost postMethod=new HttpPost(url); try { postMethod.setEntity(new UrlEncodedFormEntity(pairs)); response = hc.execute(postMethod, res); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } catch (ClientProtocolException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } return response; }

How do I validate a self-signed certificate received from server during performing Post ? I got to do testing via public/private keys. Client will have a CA file. Ijust need the client to verify the server certificate using the CA, the service is public .This has to do with public/private key.

Any help is highly appreciated.

How would the CA know about a self-signed certificate?

That's what my point incldes. How do I test and get the certificate received from server ?

That was a rhetorical question - since no CA knows about the certificate, what should validation entail?

Ulf Dittmer wrote:That was a rhetorical question - since no CA knows about the certificate, what should validation entail?

Ulf Dittmer, when I call a web service, the server sends a self-signed certificate, and I got to validate it. My first requirement is :
How to get the server's certificate?
Then coems to validate its public key.

Bob Lee posted on his blog a solution to this:

http://blog.crazybob.org/2010_02_01_archive.html

Perry Hoekstra wrote:Bob Lee posted on his blog a solution to this:

http://blog.crazybob.org/2010_02_01_archive.html

Yes Perry, already had a look at it. It needs Bouncy Castle's and all. I already have my own "certificate.cer" file. With that how do I work out !!!

Well, there are a number of approaches to getting this to work. The first approach is to get Android to accept a self-signed cert.

I pointed out one website and here is another: http://blog.antoine.li/index.php/2010/10/android-trusting-ssl-certificates

Also, there is also the Signing in Debug Mode: http://developer.android.com/guide/publishing/app-signing.html

I have not used this approach.

The final option is to deal with the self-signed cert programmaticly. This is usually done by implementing a version of the SSL Socket factory class where the verification is always set to true. There are numerous examples including:

http://mobile.synyx.de/2010/06/android-and-self-signed-ssl-certificates
http://developer.android.com/reference/org/apache/http/conn/ssl/SSLSocketFactory.html