I wanted to filter traffic to the server through reverse proxy using Two-way SSL/Client Certificates, on top of the regular login + 2FA auth. It already works with the exception of the Android App because, from what I have pieced together anyways, by default Android Apps only accept/use the System Store with Public CA’s unless they are explicitly configured to allow the User Store.
From another app with a similar issue on github:
The android manifest file must contain reference to a networkSecurityConfig file:
<application ... android:networkSecurityConfig="@xml/network_security_configuration" ...>
…and this file’s content will explicitly say that it looks up certificates not only in the system store but also in the user one:
<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </base-config> </network-security-config>
Then one can filter traffic to the reverse proxy with more control than just an IP alone and without any additional costs of buying a Public CA.