X.509 Client Certificates on Firefox for Android

Symptom:

On Android, comparing Mozilla Firefox and the default AOSP browser (similar to Google's Chromium), Firefox is incrementally better and I would prefer to use it, but it has one deficiency that affects me: it cannot establish a TLS connection authenticated by a client X.509 certificate. This is on CyanogenMod-10.1 based on Android-4.2 Super Jelly Bean.

What's happening:

Firefox uses its own keystore, but has no way to put client certificates into it. Desktop Firefox has client certificate support as part of the core. I don't know why Mobile Firefox leaves this out. What's happening? Lack of vision by the developers.

How to fix:

Open source to the rescue. There is an add-on available called AddCertificate by Stephane Le Gall; as of 2013-11-08 the version is 1.0.10.01, and it is classified as experimental.

To install it: Menu - Tools - Add-Ons - Browse All - Search (type the name). It shows the search results. Click on the (only) result line. Click Add To Firefox, and confirm after it downloads.

To see the usage instructions (in French), click on Read More. To get to this page after installation, follow the installation sequence, search for the app, and click on the result line (but don't Add To Firefox again); just read the usage instructions. Here's an English translation:

This add-on module lets you import a client certificate into Firefox's keystore. It is recommended for the Android version, which does not have a certificate import interface.

• From the main menu click on Tools, then Add-Ons, then pick AddCertificate.

• Click on the Sélectionner button. Pick a file manager.

• Select your client certificate, a PKCS#12 file with an extension of .p12.

• Type in the password of the certificate.

Your certificate is now in Firefox's keystore. On your next connection to a site requiring a client certificate, a window will pop up asking you to pick one of your client certificates. (Or to confirm sending your only one.)

Attention: A bug (#921477) affects certain versions of Firefox, specifically version 24. It fails to pop the window asking for the client certificate. The current version 25 does not have the bug.

Jimc's Experience

The plugin was easy to install, and worked out of the box. Now I am happily reading my mail on my Android tablet. You do need to first download your PKCS#12 file as a file, since neither mobile nor desktop Firefox (for Linux) have a mailcap/association to install this kind of file off the web.

Merci, Stephane! It helps that I know some French.