Creating self-signed certificates for use on Android

简介: Creating self-signed certificates for use on Android24 NOVEMBER 2011 // MARCUS KRANTZA while ago I started to implement TLS/SSL mutual authentication on Android.


Foto av Marcus Krantz

Creating self-signed certificates for use on Android

// MARCUS KRANTZ

A while ago I started to implement TLS/SSL mutual authentication on Android. How to actually implement the functionality on the Android platform is covered in my other article Android - TLS/SSL Mutual Authentication. Before such implementation can be done, it is important to have the keys and certificates prepared. In this article demonstrate how you can create these. However, this article is not just applicable to Android and should be usable in other scenarios as well.

For this article to be useful, the required tools are: openssl, Java’s Keytool and the BouncyCastle-provider. There are also some resources that I strongly recommend and has been very useful:

One might argue why I don’t use keytool to generate the keys and certificates and use them right away. Well, I was very curious about learning more about openssl and how to deal with various formats of keys and certificates.

1. CREATE PRIVATE KEYS

Let’s start from scratch. First of all we need private keys. We use openssl to create these:

$ openssl genrsa -des3 -out client_key.pem 2048
$ openssl genrsa -des3 -out server_key.pem 2048

This will create the two keys; client.pem and server.pem. We will use these in the next step to sign our certificates with. In normal cases we would create a CA-signing request, that is sent to a CA who will issue your certificates. But since we want to self-sign our certificates this step is redundant.

2. CREATE SELF-SIGNED CERTIFICATES

$ openssl req -new -x509 -key client_key.pem -out client.pem -days 365
$ openssl req -new -x509 -key server_key.pem -out server.pem -days 365

Additionally, instead of being prompted for the certificate’s subject line you can use the -subj parameter and pass it to the openssl req command. What we just did was basically creating a CA signing request using our private keys to sign the outgoing x509-certificates. The certificates will be coded in pem-format and valid for 365 days.

3. CREATE TRUST STORES

In order to use our keys and certificates in Java applications we need to import them into keystores. First of all, we want the client to trust the server certificate. To do this we must create a client trust store and import the server’s certificate.

$ keytool –importcert -trustcacerts –keystore clienttruststore.bks –storetype bks –storepass <truststore_password> -file server.pem -provider org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath <path_to_bcprov_jar>

Note: On the client side, which in our case will be an Android app we use Bouncy Castle as our provider since it is supported on the Android platform.

Create a trust store for the server and import the client’s certificate into it.

$ keytool –importcert -trustcacerts –keystore  servertruststore.jks –storetype jks –storepass <server_truststore_password> -file client.pem

Currently, we have two trust stores one for the server in which we imported the client’s certificate and one for the client in which we imported the server’s certificate.

4. COMBINE KEYS AND CERTIFICATES

A problem with Java’s keytool application is that it won’t let us do such a simple thing as importing an existing private key into a keystore. The workaround to this problem is to combine the private key with the certificate into a pkcs12-file (which is understood by Java’s keytool) and then import this pkcs12 keystore into a regular keystore.

Combine the certificate and the private key for the server and client respectively:

$ openssl pkcs12 –export –inkey  client_key.pem –in client.pem –out  client.p12
$ openssl pkcs12 –export –inkey server_key.pem –in server.pem –out server.p12

5. CONVERT FROM PKCS12

Import the created keystores to new ones with common formats:

$ keytool –importkeystore –srckeystore client.p12 –srcstoretype pkcs12 –destkeystore client.bks –deststoretype bks –provider org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath <path_to_bcprov_jar>
$ keytool –importkeystore –srckeystore server.p12 –srcstoretype pkcs12 –destkeystore server.jks –deststoretype jks

We should now have all files we need for a successful TLS/SSL mutual authentication. The files we move to our Android project will be: clienttruststore.bks and client.bks. The files we move to our server will be: servertruststore.jks and server.jks.





目录
相关文章
|
Java Linux Android开发
windows编译FFmpeg for Android 和AndroidStudio使用FFmpeg(二)
FFmpeg的编译是一个大坑,尤其是编译安卓平台的动态库和静态库,应用于APP中。在Linux平台编译是相对简单的,但是我经过尝试在Linux编译静态库没有成功,所以又在windows平台尝试编译了ffempg的动态库,应用成功了,这里分享一下。
387 0
windows编译FFmpeg for Android 和AndroidStudio使用FFmpeg(二)
|
Linux Shell C语言
windows编译FFmpeg for Android 和AndroidStudio使用FFmpeg(一)
FFmpeg的编译是一个大坑,尤其是编译安卓平台的动态库和静态库,应用于APP中。在Linux平台编译是相对简单的,但是我经过尝试在Linux编译静态库没有成功,所以又在windows平台尝试编译了ffempg的动态库,应用成功了,这里分享一下。
572 0
windows编译FFmpeg for Android 和AndroidStudio使用FFmpeg(一)
|
存储 缓存 JSON
Code For Better 谷歌开发者之声——Android 中的 Volley 库
Volley是一个HTTP 库,它使 Android 应用程序的网络变得非常简单和快速。它由 Google 开发并在 2013 年 Google I/O 期间推出。它的开发是因为 Android SDK 中缺少能够在不影响用户体验的情况下工作的网络类。尽管 Volley 是 Android 开源项目 (AOSP) 的一部分,但 Google 在 2017 年 1 月宣布 Volley 将迁移到一个独立的库。它管理网络请求的处理和缓存,并节省开发人员一次又一次编写相同的网络调用/缓存代码的宝贵时间。Volley不适合大型下载或流式操作,因为 Volley 在解析期间将所有响应保存在内存中。
133 0
|
IDE 开发工具 Android开发
解决This Gradle plugin requires a newer IDE able to request IDE model level 3. For Android Studio
解决This Gradle plugin requires a newer IDE able to request IDE model level 3. For Android Studio
162 0
解决This Gradle plugin requires a newer IDE able to request IDE model level 3. For Android Studio
|
存储 人工智能 Java
TensorFlow Lite for Android 初探(附demo)
TensorFlow Lite for Android 初探(附demo)
497 0
TensorFlow Lite for Android 初探(附demo)
|
开发工具 Android开发
License for package Android SDK Build-Tools 28.0.3 not accepted.
License for package Android SDK Build-Tools 28.0.3 not accepted.
335 0
License for package Android SDK Build-Tools 28.0.3 not accepted.
|
Android开发
【错误记录】Android 应用运行报错 ( You need to use a Theme.AppCompat theme (or descendant) with this activity. )
【错误记录】Android 应用运行报错 ( You need to use a Theme.AppCompat theme (or descendant) with this activity. )
561 0
【错误记录】Android 应用运行报错 ( You need to use a Theme.AppCompat theme (or descendant) with this activity. )
|
Android开发
【错误记录】Android Studio 编译报错 ( Cannot use connection to Gradle distribution . as it has been stopped. )
【错误记录】Android Studio 编译报错 ( Cannot use connection to Gradle distribution . as it has been stopped. )
803 0
【错误记录】Android Studio 编译报错 ( Cannot use connection to Gradle distribution . as it has been stopped. )
|
开发工具
Could not get unknown property ‘versions‘ for object of type com.android.build.gradle.AppExtension
Could not get unknown property ‘versions‘ for object of type com.android.build.gradle.AppExtension
1733 0
Could not get unknown property ‘versions‘ for object of type com.android.build.gradle.AppExtension
|
开发工具 Android开发
解决Error:Could not determine the class-path for interface com.android.builder.model.AndroidProject.
解决Error:Could not determine the class-path for interface com.android.builder.model.AndroidProject.
206 0
解决Error:Could not determine the class-path for interface com.android.builder.model.AndroidProject.