https自制证书详解及okhttp3访问自制证书连接

更新时间：2024-06-15 03:38:01 阅读量：综合文库文档下载

说明：文章内容仅供预览，部分内容可能不全。下载后的文档，内容与下面显示的完全一致。下载之前请确认下面内容是否您想要的，是否完整无缺。

黄健翔:踢得确实好吹得真是烂推荐度：
相关推荐

Https可行性分析

方正国际软件有限公司 2017年06月22日

服务器端调整 .......................................................................................................................... 2 1.1 生成CA证书 .................................................................................................................... 2

1.1.1 创建私钥 .................................................................................................................. 2 1.1.2 创建证书请求 .......................................................................................................... 2 1.1.3 自签署证书 .............................................................................................................. 2 1.1.4 证书导出成浏览器支持的.p12格式 ...................................................................... 3 1.2 生成server证书 .............................................................................................................. 3

1.2.1 创建私钥 .................................................................................................................. 3 1.2.2 创建证书请求 .......................................................................................................... 3 1.2.3 自签署证书 .............................................................................................................. 3 1.2.4 将证书导成支持的.p12格式 .................................................................................. 4 1.3 生成client证书................................................................................................................ 4

1.3.1 创建私钥 .................................................................................................................. 4 1.3.2 创建证书请求 .......................................................................................................... 4 1.3.3 自签署证书 .............................................................................................................. 5 1.3.4 将证书导成浏览器支持的.p12格式 ...................................................................... 5 1.4 根据CA证书生成JKS文件 ............................................................................................. 5 1.5 配置tomcat ssl ................................................................................................................. 5 1.6 验证ssl配置 .................................................................................................................... 5 2

Okhttp端调整 .......................................................................................................................... 6 2.1 第三方签发证书 .............................................................................................................. 6 2.2 自制证书 .......................................................................................................................... 6

2.2.1 访问 .......................................................................................................................... 7

插图和附表清单

图 1 .......................................................................................................................................... 6

修改记录

序号日期作者修改记录评审 1 2017-06-20 张长东创建 1

1.1

服务器端调整

生成CA证书

目前不使用第三方权威机构的CA来认证，自己充当CA的角色。需要工具：openssl（先安装openssl）

1.1.1 创建私钥

C:\\OpenSSL\\bin>openssl genrsa -out ca/ca-key.pem 1024 注：现在bin下创建ca文件夹

1.1.2 创建证书请求

C:\\OpenSSL\\bin>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:zhejiang Locality Name (eg, city) []:hangzhou

Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision Organizational Unit Name (eg, section) []:test Common Name (eg, YOUR name) []:root Email Address []:sky

1.1.3 自签署证书

C:\\OpenSSL\\bin>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650

1.1.4 证书导出成浏览器支持的.p12格式

C:\\OpenSSL\\bin>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12

密码：changeit

1.2 生成server证书

1.2.1 创建私钥

C:\\OpenSSL\\bin>openssl genrsa -out server/server-key.pem 1024

1.2.2 创建证书请求

C:\\OpenSSL\\bin>openssl req -new -out server/server-req.csr -key server/server-key.pem -----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:zhejiang Locality Name (eg, city) []:hangzhou

Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision Organizational Unit Name (eg, section) []:test

Common Name (eg, YOUR name) []:192.168.1.246 注释：一定要写服务器所在的ip地址 Email Address []:sky

1.2.3 自签署证书

C:\\OpenSSL\\bin>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650

1.2.4 将证书导成支持的.p12格式

C:\\OpenSSL\\bin>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12 密码：changeit

1.3 生成client证书

1.3.1 创建私钥

C:\\OpenSSL\\bin>openssl genrsa -out client/client-key.pem 1024

1.3.2 创建证书请求

C:\\OpenSSL\\bin>openssl req -new -out client/client-req.csr -key client/client-key.pem -----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:zhejiang Locality Name (eg, city) []:hangzhou

Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision Organizational Unit Name (eg, section) []:test Common Name (eg, YOUR name) []:sky

Email Address []:sky 注释：就是登入中心的用户（本来用户名应该是Common Name，但是中山公安的不知道为什么使用的Email Address，其他版本没有测试） Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:tsing

1.3.3 自签署证书

C:\\OpenSSL\\bin>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650

1.3.4 将证书导成浏览器支持的.p12格式

C:\\OpenSSL\\bin>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 密码：changeit

1.4 根据CA证书生成JKS文件

C:\\Java\\jdk1.5.0_09\\bin > keytool -keystore C:\\openssl\\bin\\jks\\truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file C:\\openssl\\bin\\ca\\ca-cert.pem

1.5 配置tomcat ssl

修改conf/server.xml ,keystorefile, truststorefile设置为正确的相关路径 xml 代码 :

clientAuth=\sslProtocol=\keystoreFile=\keystorePass=\

keystoreType=\

truststoreFile=\

truststorePass=\

1.6 验证ssl配置

启动tomcat，在浏览器中访问https://ip:8443，如果配置正确的话在第三方签发的证书地址

栏会变绿，自制的证书会拦截（打死都要进去），会提示你不安全字样。

图1

2.1

Okhttp端调整

第三方签发证书

第三方签发证书直接使用https://...访问即可。 newRequest.Builder().url(url).build();

2.2 自制证书

将okhttp设置成信任所有证书 java代码：

OkHttpClient.Builder builder = new OkHttpClient.Builder(); builder.hostnameVerifier(new TrustAllHostnameVerifier())

.sslSocketFactory(createSSLSocketFactory(),new TrustAllManager()); //安全套接层工厂，HTTPS相关，用于创建SSLSocket private static SSLSocketFactorycreateSSLSocketFactory() { SSLSocketFactorysSLSocketFactory = null; try {

SSLContextsc = SSLContext.getInstance(\sc.init(null, new TrustManager[]{new TrustAllManager()}, newSecureRandom());

sSLSocketFactory = sc.getSocketFactory(); } catch (Exception e) { }

returnsSLSocketFactory; }

private static class TrustAllManager implements X509TrustManager { @Override

public void checkClientTrusted(X509Certificate[] chain, String authType) throwsCertificateException { }

@Override

public void checkServerTrusted(X509Certificate[] chain, String authType) throwsCertificateException { }

@Override

public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }

private static class TrustAllHostnameVerifier implements HostnameVerifier {

@Override

publicboolean verify(String paramString, SSLSessionparamSSLSession) { }