Self built CA center to issue certificates for different applications of the company

The production process uses
WINDOWS 7, JDK 1.7

First of all, it's generating 2 A catalog , One store CA Central root certificate , Another store CA Application certificate issued
D:\CA
D:\CA\appserver

Get into D;\CA Catalog

1. Generate CA Root certificate Library
keytool -genkey -alias CA -keypass CA123 -keyalg RSA -validity 36500 -keystore .\CA.keystore -storepass CASTORE123 -dname "CN=My CA, C=CN"

Be careful ,dname As needed , Fill in other items by yourself .

2. export CA Root certificate （ It's actually a self signing process , Not too low version keytool -selfcert The order has been abandoned ）
keytool -exportcert -alias CA -file CA.cer -keystore CA.keystore -storepass CASTORE123


Get into D:\CA\appserver Catalog

3. Generate appserver Certificate Library
keytool -genkey -alias appserver -keypass APPSERVER123 -keyalg RSA -validity 3650 -keystore .\appserver.keystore -storepass APPSERVERSTORE123 -dname "CN=app.myname.com, OU=My company name, O=My company name, C=CN"

4. Generate request CA Signed document
keytool -certreq -alias appserver -keystore .\appserver.keystore -storepass APPSERVERSTORE123 -file appserver.certreq

5. use CA The root certificate is appserver Certificate signature
keytool -gencert -infile appserver.certreq -outfile appserver.cer -validity 3650 -alias CA -keypass CA123 -keystore ..\CA.keystore -storepass CASTORE123

6. hold CA Root certificate import appserver Certificate Library
keytool -importcert -alias CA -file ../CA.cer -keystore appserver.keystore -storepass APPSERVERSTORE123

Tips ： Do you trust this certificate ? [ no ]:
Keyboard entry ：y
Tips ： Certificate added to keystore


7. Import CA Issued certificate to appserver Certificate Library （ It's actually updating the certificate , Before updating the issued certificate , Be sure to put the corresponding CA certificate , Import in appserver Certificate Library file ）
keytool -importcert -alias appserver -file appserver.cer -keystore appserver.keystore -storepass APPSERVERSTORE123

Then put what you get appserver.keystore Configuration to tomcat in , such , Browse on the browser tomcat Application , You can see that the certificate issuer is ：My CA, And the user is ：app.myname.com. also , Two certificates also form a certificate chain （ This can be found in the certificate path ）, It looks more decent .


stay android In the development of client , Need to use BKS Type certificate Library （ The above is JKS Type certificate Library ）, The above tomcat Deployed Services , How to be in android China visit ？

Suppose the above has been executed , Got the application Certificate appserver.cer, Then do this next .

1. Download required bcprov-jdk15on-146.jar, And on the D:\CA\appserver Under the table of contents , Download address [url]http://www.bouncycastle.org/download/bcprov-jdk15on-146.jar[/url], Pay attention to the version number .

2. Get into D:\CA\appserver Catalog , Enter the following command ：
keytool -import -alias appserver -file .\appserver.cer -keystore .\appserver.bks -storetype BKS -storepass bks123 -providerClass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath .\bcprov-jdk15on-146.jar

So you get BKS Certificate , hand android Just develop students .

android development environment ：
android studio 1.5
Android API 23
OkHttp 3.0.1

Take what you get appserver.bks, Put in ：src/assets Under the path , Of course, it can also be placed in other paths than the following , As long as it's easy to read .

The sample code is as follows ：
[quote]
private void byOkHttps(String url, String json) throws Exception {

// Read bks Certificate Library
KeyStore keyStore = readKeyStore();

// initialization SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "bks123".toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());

// initialization OkHttpClient
OkHttpClient client= new OkHttpClient.Builder()
.sslSocketFactory(sslContext.getSocketFactory())
.build();

//jons Request data
RequestBody body = RequestBody.create(JSON, json);

Request request = new Request.Builder()
.url(url)
.post(body)
.headers(getHeaders())
.build();

client.newCall(request).enqueue(new Callback() {
@Override
public void onFailure(Call call, IOException e) {
e.printStackTrace();
}

@Override
public void onResponse(Call call, Response response) throws IOException {
//NOT UI Thread
if (response.isSuccessful()) {
Log.d("RESPONSE:", response.body().string());
} else {
throw new IOException("Unexpected code " + response);
}
}
});
}


private KeyStore readKeyStore() throws Exception {
KeyStore ks = KeyStore.getInstance("BKS");
char[] password = "bks123".toCharArray();

java.io.InputStream is = null;
try {
is = getAssets().open("appserver.bks");
ks.load(is, password);
} finally {
if (is != null) {
is.close();
}
}
return ks;
}
[/quote]


Postscript ：

1. It's generating BKS Certificate library error , At first I downloaded bcprov-jdk15on-154.jar, It can also be used. , But it needs to be in android Make some changes in development ,

1. To put bcprov-jdk15on-154.jar Introduced to the android In the project
2. Modify the above readKeyStore Code

private KeyStore readKeyStore() throws Exception {
   
    KeyStore ks = KeyStore.getInstance("BKS", new BouncyCastleProvider());
    char[] password = "bks123".toCharArray();

    java.io.InputStream is = null;
    try {
   
        is = getAssets().open("appserver.bks");
        ks.load(is, password);
    } finally {
   
        if (is != null) {
   
            is.close();
        }
    }
    return ks;
}

2. When used HTTPS When accessing an application server with a certificate deployed , Sometimes with IP Visiting , For example, when accessing the intranet test server , I don't usually use domain names , It's direct use IP To visit , At this time, something like hostname wrong Error of , This is actually caused by a problem with our certificate , The solution is to generate the certificate at the earliest / In the step of issuing the certificate ：

3. Generate appserver Certificate Library
keytool -genkey, This order adds ：-ext san=ip:192.168.1.123
5. use CA The root certificate is appserver Certificate signature
keytool -gencert, This order adds ：-ext san=ip:192.168.1.123

Don't use the so-called method of trusting all domains introduced on the Internet , It's not safe .