Connecting an Android Device to a certificate based Wi-Fi Network
When configuring an android device to connect to a certificate based wifi network - there are some key differences when setting up an Android vs an iOS device. Android requires a few extra configurations.
When setting up the Wi-Fi connection on the device, you need to enter the user principal name (UPN) from the Subject Alternative Name (SAN) attribute of the certificate into the "Identity" field or the "anonymous identity" field in the wifi configuration on the device. This value can be entered in either of these fields and the connection will still work.
Note: If the UPN is an email address - sometimes the full email address is required in the identity field, and other times only the username portion of the email address before the @ symbol is required. The specific configuration for your infrastructure may need to be tested separately.
Manually testing Android devices with PFX certificates
If you are testing Wifi, VPN, or email profiles with certificates on android, and are having issues - one of the best ways to isolate the issue is to test by manually configuring the device (similar to how you would use iPCU with Apple devices).
With certificates, the Android devices do not support PFX files (AirWatch automatically converts PFX files to P12 files when sending to android devices). When testing manually, you will need to do this conversion yourself.
You can use a tool called OpenSSL to do this conversation. Below are the commands:
First convert PFX to PEM and then convert back to PKCS#12.
Ciphers can be added for SHA1-3DES because those are broadly accepted.
c:\OpenSSL-Win64\bin>openssl.exe pkcs12 -in <InputPFXfile> -out <PEMfilename>
c:\OpenSSL-Win64\bin>openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <InputPEMfile> -out <P12filename> -name <"MyNewCert">"
In order to load this on your device, there are a few steps to follow:
1. Tether your device to the computer with USB
2. You will have to go to notifications bar and accept USB storage mode
3. Make sure you have an SD card on the device, this is a requirement
4. Drop the cert on the SD Card
5. Un-tether the device by disabling USB storage from the notifications bar on the device
6. Unplug the device fmor USB
7. Go to menu->settings->Locations & Security-> and scroll all the way down
8. Select the option to set passcode, and make sure credentials passcode is set
9. This should enable an option called load credentials from SD car
10. Click this to load the certificate.