堆栈内存溢出
  简体   繁体   English

如何在我的应用程序中信任我所有的自签名证书

[英]How to trust all my self-signed certificates in my app

 原文  2020-02-14 00:39:05       android/ ssl/ ssl-certificate/ truststore

问题描述

I have an Android app that communicates with my host server.我有一个与我的主机服务器通信的 Android 应用程序。 The app and the server communicates thru SSL. Every year, I have to renew the (self-signed) certificate in the host server.该应用程序和服务器通过 SSL 进行通信。每年,我都必须更新主机服务器中的(自签名)证书。 Every time that cert expires, I have to update my Android app accordingly by creating my own TrustManager and trusting the new certificate directly.每次证书过期时,我都必须通过创建自己的TrustManager并直接信任新证书来相应地更新我的 Android 应用程序。 This is working perfectly.这是完美的工作。

The thing is, I don't want to modify my Android app every time my cert expires.问题是,我不想每次证书过期时都修改我的 Android 应用程序。 So the question is, how do I trust all the self-signed certificates that I issue?所以问题是,我如何信任我颁发的所有自签名证书? Again, only the self-signed certificates from me.同样,只有我的自签名证书。

These are the restrictions:这些是限制:

  1. Only self-signed certs can be used只能使用自签名证书
  2. I can only create new certs valid for 12 months max我只能创建有效期最长为 12 个月的新证书

This is how I generate the cert:这就是我生成证书的方式:

openssl req -newkey rsa:4096 \
        -x509 \
        -sha256 \
        -days 365 \
        -nodes \
        -out selfSignedCert.crt \
        -keyout newPrivate.key

Would appreciate your help.感谢您的帮助。

2 个解决方案

解决方案1
 6  2020-02-26 09:26:48

Create a CA cert with 10 years validity.创建有效期为 10 年的 CA 证书。 Sign the server cert with CA cert.使用 CA 证书签署服务器证书。 Server cert should have 1 year or less validity.服务器证书的有效期应为 1 年或更短。 In your application include the CA cert and add it in your custom TrustManager.在您的应用程序中包含 CA 证书并将其添加到您的自定义 TrustManager 中。 Now you only need to release new app every 10 years when CA cert expires.现在您只需每 10 年在 CA 证书到期时发布新的应用程序。 Your TrustManager should accept all certs which are signed by your CA cert.您的 TrustManager 应该接受所有由您的 CA 证书签署的证书。

Details steps: 1. Create the CA key详细步骤: 1. 创建 CA 密钥

    sudo openssl genrsa -out  CA/rocketCA.key 1024
  1. Create a CA certificate Request创建 CA 证书请求
    openssl req -new -key CA/rocketCA.key -out CA/rocketCA.csr
  1. Self sign the CA certificate自签名 CA 证书
    sudo openssl x509 -req -days 3650 -in CA/rocketCA.csr -out CA/rocketCA.crt -signkey CA/rocketCA.key
  1. Verify the CA certificate contents验证 CA 证书内容
    openssl x509 -in CA/hitenCA.crt -text
  1. create the web server private key using a fully qualified DNS name such as rocket.example.com OR use IPAddress.使用完全限定的 DNS 名称(例如 rocket.example.com 或使用 IPAddress)创建 web 服务器私钥。 When prompted for the pass phrase, enter a password that you can remember.当提示输入密码时,请输入您可以记住的密码。
    sudo openssl genrsa -des3 -out server/keys/rocket.example.com.key 1024
  1. create the web server certificate request using the same fully qualified DNS name/IP you used for the private key使用您用于私钥的完全限定的 DNS 名称/IP 创建 web 服务器证书请求
    openssl req -new -key server/keys/rocket.example.com.key -out server/requests/rocket.example.com.csr
  1. sign the web server certificate with the CA key使用 CA 密钥签署 web 服务器证书
    sudo openssl ca -days 3650 -in server/requests/rocket.example.com.csr -cert CA/rocketCA.crt -keyfile CA/rocketCA.key -out server/certificates/rocket.example.com.crt
  1. To verify the web server certificate contents, use the following command要验证 web 服务器证书内容,请使用以下命令
    openssl x509 -in server/certificates/rocket.example.com.crt -text

Key values to look for are:要寻找的关键值是:

Subject CN=rocket.example.com
Issuer CN=rocketCA

Reference for detailed steps: (You do not need the Mutual Auth part)详细步骤参考:(不需要Mutual Auth部分)

http://www.cafesoft.com/products/cams/ps/docs32/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html http://www.cafesoft.com/products/cams/ps/docs32/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html

解决方案2
 3  2020-02-14 06:29:16

First, it is unclear why exactly you have a limit of one year and how exactly you issue a new certificate and why you are restricted to self-signed certificates only.首先,不清楚为什么你有一年的限制,你究竟如何颁发新证书,以及为什么你仅限于自签名证书。 But the common way to do a pinning/trusting which still works with a renewed certificate is to pin against the public key of the certificate and not against the certificate itself.但是,进行固定/信任(仍然适用于更新的证书)的常用方法是固定证书的公钥而不是证书本身。 Then make sure that the key stays the same when renewing the certificate.然后确保在更新证书时密钥保持不变。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 信任Android App中的自签名证书 - Trust self-signed certificate in Android App 如何将自签名证书添加到 HttpsURLConnection 中的默认证书 - How to ADD self-signed certificates to default certificates in HttpsURLConnection 未找到认证路径的信任锚。 在 android 上使用自签名客户端证书 - Trust anchor for certification path not found. Using self-signed client certificates on android 如何使用 React Native 在 Android 上允许自签名证书 - How to allow Self-Signed Certificates on Android with React Native 如何让离子库信任自签名证书 - How do i get ion library to trust self signed certificates 自签名证书和 Nativescript Android 应用 - Self-signed certificates and Nativescript Android Apps Android SSLSockets使用自签名证书 - Android SSLSockets using self-signed certificates 接受带有自签名证书的 HTTPS 连接 - accepting HTTPS connections with self-signed certificates 通过Windows中的OpenSSL为我的Android应用程序创建带有自签名证书的PKCS#12文件 - Create PKCS#12 file with self-signed certificate via OpenSSL in Windows for my Android App Android - 除了普通的SSL证书外,还验证自签名证书 - Android - validating self-signed certificates in addition to normal SSL certificates
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM