xamarin.forms - Xamarin webview Android SSL error untrusted - how to add trusted certificate

Question

I have SSL error untrusted on my Xamarin application on adroid app (iOS works good). I need to use Webview.

I follow this instructions for httpclient : https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin . I need to set TrustManagerFactory, KeyManagerFactory and KeyStore, but in WebViewRenderer and WebViewClient I can not find option to add my certificates as trusted. I dont want to compare certificates in OnReceivedSslError override method, because certificate that come in this method is the final certificate (that will expire up to one year). I want to add my root and intermediate certificates to list of trusted certificates before checking certificate method in webview will be called.

ExportRenderer:

public class CustomWebView : WebViewRenderer
    {
        private TrustManagerFactory _trustManagerFactory;
        private KeyManagerFactory _keyManagerFactory;
        private KeyStore _keyStore;

        public CustomWebView(Context context) : base(context)
        {
        }

        protected override void OnElementChanged(ElementChangedEventArgs<Xamarin.Forms.WebView> e)
        {
            base.OnElementChanged(e);
            if (e.NewElement != null)
            {
                var customWebViewClient = new CustomWebViewClient();
                _trustManagerFactory = CertificateHelper.TrustManagerFactory;
                _keyManagerFactory = CertificateHelper.KeyManagerFactory;
                _keyStore = CertificateHelper.KeyStore;
                Control.SetWebViewClient(customWebViewClient);
            }
        }
    }

How to set TrustManagerFactory, KeyManagerFactory and KeyStore here?

question from:https://stackoverflow.com/questions/65905802/xamarin-webview-android-ssl-error-untrusted-how-to-add-trusted-certificate

Answer 1

I have finally found working solution. In my case adding end-user certificate or intermediate certificate, (separately or together), makes everything working. End-user cert is short term so I advice to add long term intermediate certificate.

Add: android:networkSecurityConfig="@xml/network_security_config" to manifest in application section.

Add new xml file (build action AndroidResource) to Resources -> xml -> network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config>
    <trust-anchors>
      <certificates src="@raw/untrusted_ca"/>
      <certificates src="system"/>
    </trust-anchors>
  </base-config>
</network-security-config>

Name of certificate should consist of only lower case letters, numbers and underscore.

Add certificate (build action: AndroidResource) in: Resources -> raw -> untrusted_ca.pem

Now android webview trusts server on application level so no more ssl error occurs, when connecting to particular server.