I'll get back to you as to what options the client is presented with, but we have something on our network capable of assigning profiles with certs to mobile devices.  i'm starting to wonder if maybe also Android needs the full chain and perhaps is not seeing the intermediate.

The cert isn't being pushed it seems.  Will need MDM admin to help with that.

My understanding of certificates/pki is limited, but the cert is by Digicert and is valid for a long time.  Am I correct in guessing that just cus the CA is trusted by iPhone doesn't necessarily mean this particular cert is for Android since the serial, expiration, sha strength is different?

I took a look at certs iPhone trusts out of the box and they offer great detail.  Android, from what I found, is a mess I have to scour though:

https://support.apple.com/en-us/HT208125

https://android.googlesource.com/platform/system/ca-certificates/+/master/files/

---

@s1nsp4wn wrote:

 Am I correct in guessing that just cus the CA is trusted by iPhone doesn't necessarily mean this particular cert is for Android since the serial, expiration, sha strength is different?

---

Not exactly. I'm far from an expert either but learned enough through trial by fire. If a cert is expired, nothing will trust it automatically (unless of course as established the device ignores it all together). If a device has a minimum requirement for certain sha levels, and your cert falls below that requirement, then the cert will be rejected and not even processed. This has nothing to do with apple vs android necessarily.

If getting rid of the popup on apple is the only goal then yes a public cert would do it. But is it worth it ? This popup is only a one time deal, once the client trusts it on the initial connection it will continue to trust it on subsequent attempts (unless the user manually goes back into the memorized wifi networks and chooses "forget this network")

It's Digicert SHA2 and i've been unsuccessful in seeing if Android has a problem with that SHA.  But the prompt is important for two reasons for us: 1. We want more than usn/psw to be necessary for access 2. We plan to eventually move to an EAP-TLS model where both server and client need a cert, so if PEAP is a problem EAP-TLS is gonna be a no-go.

So you want the device to prompt to trust the cert, and to prompt for an ID/pw. Unless there's a misunderstanding, there seems to be a conflict in what you want.

First, as mentioned... android ignores certs by default. If you want to change this you need to have a pre-delivered or manually created profile. Unless something changed in the last 6months - 1 yr I've dealt with this. If it's pre-deployed, there is no prompt.

Second - If you're using a cert from a public / trusted CA, and valid (as far as SHA etc goes) then there will be no prompt, not even the initial one.

The general goal is to avoid cert prompts while still maintaining integrity of the connection. Not to artificially introduce prompts.

So Android ignores by default and I'm still trying to figure out why when we select join on Android nothing happens UNLESS you tell the phone to ignore CA validation in which case you can then enter login creds.  As for one, the other, both that was just out of my ignorance since iPhone asks for user creds AND if you want to trust the cert.  Seems like I can start leaning towards pressing Google/Android and looking into EAP-TLS alternatives.