如何用ca验证证书替换自签名证书

Question

我使用自签名证书创建了两个 KeyStore（一个用于 TLS 通信，一个用于加密）。 我创建了两个 CSR 并发送到服务器，我获得了经过验证的证书。 如何用服务器验证替换此自签名证书？

KeyStore keyTLS;
        byte[] CSRTLSder = new byte[0];
        try {
            keyTLS = KeyStore.getInstance(Constants.AndroidKeyStore);
            keyTLS.load(null);
            Log.d(TAG, String.valueOf("onCreate: check if key is in mobile: " + keyTLS.getKey(KEY_ALIAS_TLS, null)));
            if (keyTLS.getKey(KEY_ALIAS_TLS, null) == null) {
                Calendar notBefore = Calendar.getInstance();
                Calendar notAfter = Calendar.getInstance();
                notAfter.add(Calendar.YEAR, 2);

                KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(getApplicationContext())
                        .setAlias(KEY_ALIAS_TLS)
                        .setKeySize(2048)
                        .setSubject(new X500Principal(
                                "CN=Your Company ," +
                                        " O=Your Organization" +
                                        " C=Your Coountry"))
                        .setSerialNumber(BigInteger.ONE)
                        .setStartDate(notBefore.getTime())
                        .setEndDate(notAfter.getTime())
                        .build();


                KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
                generator.initialize(spec);
                generator.generateKeyPair();
            }

            PKCS10CertificationRequest csrTLS = CsrHelper.generateCSRTLS(keyTLS, "AclaasTLS");
        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException | OperatorCreationException e) {
            e.printStackTrace();
        }

        KeyStore keyEncrypt;
        byte[] CSREncryptder = new byte[0];
        try {
            keyEncrypt = KeyStore.getInstance(Constants.AndroidKeyStore);
            keyEncrypt.load(null);
            Log.d(TAG, String.valueOf("onCreate: check if key is in mobile: " + keyEncrypt.getKey(KEY_ALIAS_ENCRYPT, null)));
            if (keyEncrypt.getKey(KEY_ALIAS_ENCRYPT, null) == null) {
                Calendar notBefore = Calendar.getInstance();
                Calendar notAfter = Calendar.getInstance();
                notAfter.add(Calendar.YEAR, 2);

                KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(getApplicationContext())
                        .setAlias(KEY_ALIAS_ENCRYPT)
                        .setKeySize(2048)
                        .setSubject(new X500Principal(
                                "CN=Your Company ," +
                                        " O=Your Organization" +
                                        " C=Your Coountry"))
                        .setSerialNumber(BigInteger.ONE)
                        .setStartDate(notBefore.getTime())
                        .setEndDate(notAfter.getTime())
                        .build();

                KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
                generator.initialize(spec);
                generator.generateKeyPair();
            }

            //Generate CSR in PKCS#10 format encoded in DER
            PKCS10CertificationRequest csrEncrypt = CsrHelper.generateCSREncrypt(keyEncrypt, "AclaasEncrypt");

        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException | OperatorCreationException e) {
            e.printStackTrace();
        }

当我尝试使用时：

 private void addSignCertificate(byte[] signCertificate, String keyAlias) {
    try {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        InputStream in = new ByteArrayInputStream(signCertificate);

        KeyStore keyStore;
        keyStore = KeyStore.getInstance(Constants.AndroidKeyStore);
        keyStore.load( null);

        Certificate signedCertificate;
        signedCertificate = cf.generateCertificate(in);
        Log.d(TAG, keyAlias + " sign certificate: ca= " + ((X509Certificate) signedCertificate).getSubjectDN());
        keyStore.setCertificateEntry(keyAlias, signedCertificate);
    } catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
        e.printStackTrace();
    }
}

它说： java.security.KeyStoreException：条目存在并且不是受信任的证书

Answer 1

解决了

private void addSignCertificate(byte[] signCertificate, String keyAlias) {
        try {
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            InputStream in = new ByteArrayInputStream(signCertificate);
    
            KeyStore keyStore;
            keyStore = KeyStore.getInstance(Constants.AndroidKeyStore);
        keyStore.load( null);

        Certificate signedCertificate;
        signedCertificate = cf.generateCertificate(in);
        Log.d(TAG, keyAlias + " sign certificate: ca= " + ((X509Certificate) signedCertificate).getSubjectDN());
        if (keyStore.isKeyEntry(keyAlias )) {
           keyStore.setKeyEntry(
                ((KeyStore.PrivateKeyEntry) keyStore.getEntry(keyAlias , null)).getPrivateKey(),
                                                    new char[0],
                                                    new Certificate[]{ca})
        } else {
        keyStore.setCertificateEntry(keyAlias, signedCertificate);
        }
    } catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
        e.printStackTrace();
    }
}

如何用ca验证证书替换自签名证书

问题描述

1 个解决方案

解决方案1
0 已采纳 2021-07-02 12:07:14

如何用ca验证证书替换自签名证书

问题描述

1 个解决方案

解决方案1 0 已采纳 2021-07-02 12:07:14

解决方案1
0 已采纳 2021-07-02 12:07:14