1

我需要使用所有需要的 SSL 证书构建一个密钥库,以使我的 Android 应用程序通过 https 连接到网络服务器。

这是我的证书链(用 获得openssl s_client -connect www.myhost.com:443):

 0 s:/C=US/ST=State/L=Location/O=Organization/OU=Webserver Team/CN=www.myhost.com
   i:/C=US/O=Thawte, Inc./CN=Thawte SGC CA - G2
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 2 s:/C=US/O=Thawte, Inc./CN=Thawte SGC CA - G2
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 3 s:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 4 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

我的问题是我不是 100% 确定如何创建密钥库以导入到我的 android 应用程序中。我只能从 Thawte 和 Verisign 网站下载VeriSign Class 3 Public Primary Certification Authority - G5和下载。Thawte Primary Root CA我找不到其他两个如果我没记错应该是Thawte SGC CA - G2thawte Extended Validation SSL CA

如果我拥有所有这些,我将继续使用此答案中解释的过程创建一个密钥库,以解决与此问题类似的问题。

我是不是误会了什么?我真的需要所有 4 个证书吗?我也不确定将这些证书添加到密钥库时应该使用的顺序(和别名)。有关系吗?

4

2 回答 2

1

如果您的服务器证书由 VeriSign 签名,则无需安装它,它很可能已经被 Android 信任。你有错误吗?在什么版本上?

通常,您只需在设备的信任库中安装根 (CA) 证书。如果配置正确,所有中间证书都应由服务器发送。

于 2012-06-15T03:16:08.727 回答
0

最后,我的问题是服务器没有以正确的顺序发送证书(你可以从我在我的问题中发布的 openssl 输出中看到它)。解决方案是子类化X509TrustManager,并在方法上checkServerTrusted,在将证书链传递给超级实现之前重新排序。重新排序代码如下:

    int currIndex;
    for (currIndex = 0; currIndex < certificates.length; ++currIndex) {
        boolean foundNext = false;
        for (int nextIndex = currIndex + 1; nextIndex < certificates.length; ++nextIndex) {
            if (certificates[currIndex].getIssuerDN().equals(certificates[nextIndex].getSubjectDN())) {
                foundNext = true;
                // Exchange certificates so that 0 through currIndex + 1 are in proper order
                if (nextIndex != currIndex + 1)  {
                    X509Certificate tempCertificate = certificates[nextIndex];
                    certificates[nextIndex] = certificates[currIndex + 1];
                    certificates[currIndex + 1] = tempCertificate;
                }
                break;
             }
         }
         if (!foundNext) break;
     }
于 2012-06-18T09:18:36.500 回答