1. 技术文章
  2. Android not trusting self-signed CA

Android not trusting self-signed CA

。_饼干妹妹 提交于 2019-12-11 16:58:39

问题


I can't get android to trust my self-signed cert/ca. I tried the following in this video:

  1. Generate CA and cert for m.m with the script as shown (and below).
  2. Reload nginx with the new cert file (may not be necessary)
  3. Copy the CA to my local device
  4. Install the CA
  5. Confirm it is installed and 'trusted' under user certificates
  6. Try to go to m.m
  7. Cert is not trusted

I have read several guides that say I should be able to generate a CA, install/trust the CA on the device, then anything the CA signs should be trusted. I can get that to work on my Mac OS machines, but not Android or iOS (I have not tried Windows or Linux).

gen.sh:

#!/bin/bash
domain="m"
name="$1"

if [ ! -e "$domain".key ]; then
        openssl genrsa -des3 -out "$domain".key 10240
fi;
if [ ! -e "$domain".pem ]; then
        openssl req -x509 -new -nodes -key "$domain".key -sha256 -days 1825 -out "$domain".pem -subj "/C=US/ST=Tennessee/L=Chattanooga/O=CA Test/CN=Management/emailAddress=test@example.com"

fi;

mkdir $name
openssl genrsa -out "$name/$name".key 8192
openssl req -new -key "$name/$name".key -out "$name/$name".csr -subj "/C=US/ST=Tennessee/L=Chattanooga/O=CA Test/CN=Management/emailAddress=test@example.com"

echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
" >"$name/$name".ext

i=1
for n in "$@"; do
  echo "DNS.$i = $n" | tee -a "$name/$name".ext
  i=$((i+1))
done

openssl x509 -req -in "$name/$name".csr -CA "$domain".pem -CAkey "$domain".key -CAcreateserial -out "$name/$name".crt -days 1825 -sha256 -extfile "$name/$name".ext
cp $name/$name.{crt,key} /srv/docker/nginx/certs/

回答1:


TrustManager

You can trust a domain without using it's certification. Just use TrustManager. If you use it properly Google Play Store wont have any problems with your app.

SimpleTrust is an easy way to trust a specific domains with self signed or not proper certifications.

Get it from JitPack and implement it into your dependencies.

1. Add JitPack to your root build.gradle

allprojects {
    repositories {
        ...
        maven { url 'https://jitpack.io' }
    }
}

2. Add the dependency

dependencies {
        implementation 'com.github.m-devs:SimpleTrust:1.0.0'
}

3. Load it in the class where you want to use it.

SimpleTrust simpleTrust = new SimpleTrust();
simpleTrust.addTrusted("your-trusted-domain.com");
simpleTrust.load();

4. Reset your settings after you used it.

...
simpleTrust.reset();

For alternative usages and more detailed guideline check out this Guide file on GitHub.



来源:https://stackoverflow.com/questions/48246900/android-not-trusting-self-signed-ca

标签
android
ios
ssl
self-signed
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!