[英]How to trust all my self-signed certificates in my app
I have an Android app that communicates with my host server.我有一个与我的主机服务器通信的 Android 应用程序。 The app and the server communicates thru SSL. Every year, I have to renew the (self-signed) certificate in the host server.
该应用程序和服务器通过 SSL 进行通信。每年,我都必须更新主机服务器中的(自签名)证书。 Every time that cert expires, I have to update my Android app accordingly by creating my own
TrustManager
and trusting the new certificate directly.每次证书过期时,我都必须通过创建自己的
TrustManager
并直接信任新证书来相应地更新我的 Android 应用程序。 This is working perfectly.这是完美的工作。
The thing is, I don't want to modify my Android app every time my cert expires.问题是,我不想每次证书过期时都修改我的 Android 应用程序。 So the question is, how do I trust all the self-signed certificates that I issue?
所以问题是,我如何信任我颁发的所有自签名证书? Again, only the self-signed certificates from me.
同样,只有我的自签名证书。
These are the restrictions:这些是限制:
This is how I generate the cert:这就是我生成证书的方式:
openssl req -newkey rsa:4096 \
-x509 \
-sha256 \
-days 365 \
-nodes \
-out selfSignedCert.crt \
-keyout newPrivate.key
Would appreciate your help.感谢您的帮助。
Create a CA cert with 10 years validity.创建有效期为 10 年的 CA 证书。 Sign the server cert with CA cert.
使用 CA 证书签署服务器证书。 Server cert should have 1 year or less validity.
服务器证书的有效期应为 1 年或更短。 In your application include the CA cert and add it in your custom TrustManager.
在您的应用程序中包含 CA 证书并将其添加到您的自定义 TrustManager 中。 Now you only need to release new app every 10 years when CA cert expires.
现在您只需每 10 年在 CA 证书到期时发布新的应用程序。 Your TrustManager should accept all certs which are signed by your CA cert.
您的 TrustManager 应该接受所有由您的 CA 证书签署的证书。
Details steps: 1. Create the CA key详细步骤: 1. 创建 CA 密钥
sudo openssl genrsa -out CA/rocketCA.key 1024
openssl req -new -key CA/rocketCA.key -out CA/rocketCA.csr
sudo openssl x509 -req -days 3650 -in CA/rocketCA.csr -out CA/rocketCA.crt -signkey CA/rocketCA.key
openssl x509 -in CA/hitenCA.crt -text
sudo openssl genrsa -des3 -out server/keys/rocket.example.com.key 1024
openssl req -new -key server/keys/rocket.example.com.key -out server/requests/rocket.example.com.csr
sudo openssl ca -days 3650 -in server/requests/rocket.example.com.csr -cert CA/rocketCA.crt -keyfile CA/rocketCA.key -out server/certificates/rocket.example.com.crt
openssl x509 -in server/certificates/rocket.example.com.crt -text
Key values to look for are:要寻找的关键值是:
Subject CN=rocket.example.com
Issuer CN=rocketCA
Reference for detailed steps: (You do not need the Mutual Auth part)详细步骤参考:(不需要Mutual Auth部分)
http://www.cafesoft.com/products/cams/ps/docs32/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html http://www.cafesoft.com/products/cams/ps/docs32/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html
First, it is unclear why exactly you have a limit of one year and how exactly you issue a new certificate and why you are restricted to self-signed certificates only.首先,不清楚为什么你有一年的限制,你究竟如何颁发新证书,以及为什么你仅限于自签名证书。 But the common way to do a pinning/trusting which still works with a renewed certificate is to pin against the public key of the certificate and not against the certificate itself.
但是,进行固定/信任(仍然适用于更新的证书)的常用方法是固定证书的公钥而不是证书本身。 Then make sure that the key stays the same when renewing the certificate.
然后确保在更新证书时密钥保持不变。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.