創建 Android 上使用的自簽名證書（Creating self-signed certificates for use on Android）

創建 Android 上使用的自簽名證書

太陽火神的美麗人生 (http://blog.csdn.net/opengl_es)

本文遵循“署名-非商業用途-保持一致”創作公用協議

轉載請保留此句：太陽火神的美麗人生 - 本博客專注於 敏捷開發及移動和物聯設備研究：iOS、Android、Html5、Arduino、pcDuino，否則，出自本博客的文章拒絕轉載或再轉載，謝謝合作。

我剛剛在 Android 上開始實現 TLS/SSL 雙向認證。如何實際在 Android 上實現這一功能已在我的另一篇文章 Android - TLS/SSL Mutual Authentication 中提到。在這個實現可以落實之前，密鑰和證書的准備就顯得很重要了。本文演示了如何創建這些東西。然而，本文不只適用於 Android ，同時也應該可以用於其它情況。

A while ago I started to implement TLS/SSL mutual authentication on Android. How to actually implement the functionality on the Android platform is covered in my other article Android - TLS/SSL Mutual Authentication. Before such implementation can be done, it is important to have the keys and certificates prepared. In this article demonstrate how you can create these. However, this article is not just applicable to Android and should be usable in other scenarios as well.

本文想要發揮作用，必需的工具有：openssl，Java 的 Keytool 和 BouncyCastle-provider 。還有一些強烈推薦的資源也很有用：

For this article to be useful, the required tools are: openssl, Java’s Keytool and the BouncyCastle-provider. There are also some resources that I strongly recommend and has been very useful:

• SSL Certificates Howto
• OpenSSL Keys Howto
• OpenSSL Certificates Howto
• Java Keytool

  有人可能會問，為什麼我不使用 keytool 生成密鑰和證書，這樣就馬上能有的用了。噢，我有非常強烈的求知欲望，我想學到更多有關 openssl 以及如何處理各種格式密鑰和證的知識。

  One might argue why I don’t use keytool to generate the keys and certificates and use them right away. Well, I was very curious about learning more about openssl and how to deal with various formats of keys and certificates.

  1. 創建私鑰（CREATE PRIVATE KEYS）

  來，咱們從頭開始。首先，我們需要私鑰。我們使用 openssl 創建：

  Let’s start from scratch. First of all we need private keys. We use openssl to create these:

  $ openssl genrsa -des3 -out client_key.pem 2048
  $ openssl genrsa -des3 -out server_key.pem 2048
  

  這兩行命令會創建兩個密鑰：client.pem 和 server.pem。我們在下一步中會用它們來簽名我們的證書。通常情況下，我們會創建一個 CA 簽名請求，再把它發送給 CA，CA就會給你頒發證書了。但是，由於我想要自簽名我們的證書，簽名請求這一步就顯得多余了。

  This will create the two keys; client.pem and server.pem. We will use these in the next step to sign our certificates with. In normal cases we would create a CA-signing request, that is sent to a CA who will issue your certificates. But since we want to self-sign our certificates this step is redundant.

  2. 創建自簽名證書（CREATE SELF-SIGNED CERTIFICATES）

  $ openssl req -new -x509 -key client_key.pem -out client.pem -days 365
  $ openssl req -new -x509 -key server_key.pem -out server.pem -days 365
  

  另外，如果不想被提示輸入證書的主題行，你也可以給 openssl req 命令傳遞一個 -subj 參數。剛執行的兩條命令主要是創建一個 CA 簽名請求並使用我們的私鑰來簽名輸出的 x509 證書。該證書就會以 pem 格式進行編碼，並且有效期為 365 天。

  Additionally, instead of being prompted for the certificate’s subject line you can use the -subj parameter and pass it to the openssl req command. What we just did was basically creating a CA signing request using our private keys to sign the outgoing x509-certificates. The certificates will be coded in pem-format and valid for 365 days.

  3. 創建可信庫（CREATE TRUST STORES）

  為了能在 Java 應用中使用我們的密鑰和證書，我們需要將它們導入到密鑰庫裡。首先，我們想讓客戶端信任服務器證書。要做到這一點，我們必須創建一個客戶端可信庫，並導入服務器的證書。

  In order to use our keys and certificates in Java applications we need to import them into keystores. First of all, we want the client to trust the server certificate. To do this we must create a client trust store and import the server’s certificate.

  $ keytool –importcert -trustcacerts –keystore clienttruststore.bks –storetype bks –storepass  -file server.pem -provider org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath 

  注意（Note）:

  在客戶端，我們當前的情況是一個 Android 應用，我們使用 Bouncy Castle 作為我們的提供者，因為它能被 Android 平台支持。

  On the client side, which in our case will be an Android app we use Bouncy Castle as our provider since it is supported on the Android platform.

  （以下命令用於）創建一個服務器可信庫，並將客戶端的證書導入。

  Create a trust store for the server and import the client’s certificate into it.

  $ keytool –importcert -trustcacerts –keystore  servertruststore.jks –storetype jks –storepass  -file client.pem
  

  當前，我們已經有了兩個可信庫，一個是服務器的，其中導入了客戶端的證書，一個是客戶端的，其中導入了服務器的證書。

  Currently, we have two trust stores one for the server in which we imported the client’s certificate and one for the client in which we imported the server’s certificate.

  4. 合並密鑰和證書（COMBINE KEYS AND CERTIFICATES）

  Java 的 keytool 工具有一個問題，它無法做到讓我們把一個已存在的私鑰導入到密鑰庫這樣簡單的事情。這個問題的一個變通方案是，把私鑰和證書合並到一個 pkcs12 文件中（這個文件格式能被 Java 的 keytool 識別），然後再把這個 pkcs12 密鑰庫導入（譯者注：譯作‘轉換成’可能更好，這表示裡面是密鑰和證書而非這個 pkcs12 密鑰庫，是賦值關系而非嵌套關系）到常規的密鑰庫。

  A problem with Java’s keytool application is that it won’t let us do such a simple thing as importing an existing private key into a keystore. The workaround to this problem is to combine the private key with the certificate into a pkcs12-file (which is understood by Java’s keytool) and then import this pkcs12 keystore into a regular keystore.

  分別組合服務器和客戶端的證書和私鑰：

  Combine the certificate and the private key for the server and client respectively:

  $ openssl pkcs12 –export –inkey  client_key.pem –in client.pem –out  client.p12
  $ openssl pkcs12 –export –inkey server_key.pem –in server.pem –out server.p12
  

  5. 轉換 PKCS12 到支持的庫類型（CONVERT FROM PKCS12）

  Import the created keystores to new ones with common formats:

  $ keytool –importkeystore –srckeystore client.p12 –srcstoretype pkcs12 –destkeystore client.bks –deststoretype bks –provider org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath 
  $ keytool –importkeystore –srckeystore server.p12 –srcstoretype pkcs12 –destkeystore server.jks –deststoretype jks
  

  We should now have all files we need for a successful TLS/SSL mutual authentication. The files we move to our Android project will be: clienttruststore.bks and client.bks. The files we move to our server will be: servertruststore.jks and server.jks.