I am using k9mail(Android) open source for my email client application. The objective is, The users only access my email server with SSL security. so that I need to install SSL certificate in my email client. What is the best way I want to install SSL certificate at my client side?
(i.e) Install it from my server when the client communicate with server (or) Install it in my client When I develop application. Can you give your suggestions?
Short answer: Install/include it in the client app when you develop it. You should not install it from the server when the client communicates with it - it is not a correct approach (security wise).
Long answer: The server certificate must be transferred to the client in a secure way. That is to avoid an attacker to replace it with his own certificate so that later on it will pretend that he, the attacker, is the mail server (man-in-the-middle attack). If you just download the certificate on your client when the client communicates with the server we cannot prove that the entity you think is your server is really your server unless you have already established a secure (encrypted/authenticated) channel with it (in which case you wouldn't need your certificates anyway if you would have that secure connection already).
So you will have to generate your server certificate before hand and include it in the application. The alternative way would be to transfer it via a physical medium or other secure channel (which doesn't really make sense..)
