What is the best way to generate Certificate Signing Request using AndroidKeyStoreProvider?

Question

I read this article.

It says how to generate a KeyPair, however it doesn\'t specify how to generate a Certificate Signing Request based on the generated

Answer 1

Regarding generating a CSR (certificate sign request) on the android phone, I think it is rather straightforward to use Spongycastle instead. It is an android port of Bouncycastle.

Suppose I finally get certificate signed by a Certificate Authority. What exactly should I do to "replace the certificate at a later time"?

Once you have the actual signed certificate which you are supposed to get from the CA (Certificate Authority), you no longer need your CSR; you should just store the signed certificate on the phone. Where to save them - I guess you can get help here.

Answer 2

The best way to create a CSR on Android is to use SpongyCastle, which is an implementation of BouncyCastle for Android. SpongyCastle already does a lot of the heavy-lifting for you so it will make your life much easier.

---

My implementation is heavily based on the answer found here, but uses the Android KeyStore for security and SpongyCastle's JcaContentSignerBuilder() instead of the custom ContentSigner.

Add SpongyCastle to your build.gradle file:

compile 'com.madgag.spongycastle:core:1.51.0.0'
compile 'com.madgag.spongycastle:pkix:1.51.0.0'

Create the KeyPair in the Android KeyStore:

KeyPairGenerator keyGen = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); // store the key in the Android KeyStore for security purposes
keyGen.initialize(new KeyGenParameterSpec.Builder(
                  "key1",
                  KeyProperties.PURPOSE_SIGN)
                  .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
                  .setDigests(KeyProperties.DIGEST_SHA256,
                                KeyProperties.DIGEST_SHA384,
                                KeyProperties.DIGEST_SHA512)
                  .build()); // defaults to RSA 2048
KeyPair keyPair = keyGen.generateKeyPair();

Create the CSR using said KeyPair:

private final static String CN_PATTERN = "CN=%s, O=Aralink, OU=OrgUnit";

//Create the certificate signing request (CSR) from private and public keys
public static PKCS10CertificationRequest generateCSR(KeyPair keyPair, String cn) throws IOException, OperatorCreationException {
        String principal = String.format(CN_PATTERN, cn);

        ContentSigner signer = new JcaContentSignerBuilder(DEFAULT_RSA_SIGNATURE_ALGORITHM).build(keyPair.getPrivate());

        PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(
                new X500Name(principal), keyPair.getPublic());
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(
                true));
        csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
                extensionsGenerator.generate());
        PKCS10CertificationRequest csr = csrBuilder.build(signer);

        return csr;
    }
}

And that's it, now you have a PKCS10CertificationRequest that you can send to your server.