简体繁体 English

如何以及使用什么服务器证书与android SSL客户端证书身份验证

[英]How and what server certificate to use with android SSL client certificate authentication

原文 2011-05-09 23:10:58 0 1 android/ ssl/ ssl-certificate

I'm developing a network-enabled android application that uses SSL client certificates to authenticate and secure connections to my server. 我正在开发一个支持网络的Android应用程序，它使用SSL客户端证书来验证和保护与我的服务器的连接。

I have two questions: (1) should I use a self-signed server certificate or a commercial one? 我有两个问题：（1）我应该使用自签名服务器证书还是商业证书？ And (2) should I include the server certificate inside the apk file that users install or should I have the application connect to my server to get the server certificate over the network (for the purpose of making the device trust the server cert)? 并且（2）我应该在用户安装的apk文件中包含服务器证书，还是应该让应用程序连接到我的服务器以通过网络获取服务器证书（为了使设备信任服务器证书）？

When I ask what I "should" do, I'm asking what are the benefits and disadvantages of each choice? 当我问我“应该”做什么时，我会问每个选择有什么好处和坏处？

Right now I am using a self-signed certificate included with the apk file. 现在我正在使用apk文件中包含的自签名证书。 When the user runs the app for the first time, it reads the included self-signed cert into the trust store so the device will connect to my server with no complaints. 当用户第一次运行应用程序时，它会将包含的自签名证书读入信任存储区，以便设备连接到我的服务器而不会有任何投诉。 I suppose if I use a commercial cert then my question #2 might become moot, since the device may trust the cert from the server with no issues. 我想如果我使用商业证书，那么我的问题＃2可能没有实际意义，因为设备可能信任来自服务器的证书而没有任何问题。

One more possibly-relevant detail: this application is not being distributed through the android market. 一个可能相关的细节：这个应用程序没有通过Android市场分发。 Users will download the application from my server, so I can include whatever server certificate I want, including a different one for each user if I needed to. 用户将从我的服务器下载应用程序，因此我可以包含我想要的任何服务器证书，如果需要，可以包括每个用户的不同服务器证书。

I have my own ideas about the various advantages and drawbacks to each possible answer to my two questions, but I'm interested in what others--hopefully security minded--have to say on the matter. 我对我的两个问题的每个可能答案的各种优点和缺点都有自己的想法，但我对其他人 - 希望有安全意识 - 对此事有所说明感兴趣。

Thanks in advance! 提前致谢！

1 个解决方案

I see no reason not to self-sign. 我认为没有理由不进行自我签名。 I would have upped it a notch, though, and created my own certificate authority. 不过，我会把它提升一个档次，并创建了我自己的证书授权。 This allows you to ensure that you will only connect to servers that has certificates that are signed by your custom CA, which is much better (ie actual crypto security) than a simple fingerprint check of the certificate on the server. 这使您可以确保只连接到具有由自定义CA签名的证书的服务器，这比服务器上的证书的简单指纹检查要好得多（即实际加密安全性）。

Here's an example of how to create a custom CA using Ruby's OpenSSL bindings. 这是一个如何使用Ruby的OpenSSL绑定创建自定义CA的示例。 The procedure is the same in most languages. 大多数语言的程序都是一样的。 https://github.com/augustl/ruby-openssl-cheat-sheet/blob/master/certificate_authority.rb https://github.com/augustl/ruby-openssl-cheat-sheet/blob/master/certificate_authority.rb

You can of course also use a client certificate that has to be signed by your custom CA for your server to accept the request. 您当然也可以使用必须由自定义CA签名的客户端证书，以便服务器接受请求。 Note that this will only be obscurity - an attacker will be able to extract the private key and custom CA signed cert from your app. 请注意，这只是默默无闻 - 攻击者将能够从您的应用中提取私钥和自定义CA签名证书。 If your app can make requests to the server, anyone can :) 如果您的应用可以向服务器发出请求，任何人都可以:)