I was wondering if is possible to make a self signed certificate
on my server, so that my app can communicate via ssl (I am aware
of methods how to make my app trust the self signed cert, so that
the certificate would not expire in 1 year but maybe in 5 as I don't
want to manually update many apps that would use ssl.
IS there any way to make a self signed certificate that doesn't
expire within 1 year? If not, would there be any point in making
my app download the new cert if a certain date has passed?
Thanks.
You're completely free to set whatever you want for expiry time when you create/sign a certificate.
Here's how to generate a self signed SSL certificate using Ruby. I personally prefer to use a language binding when talking to OpenSSL since the CLI is a bit complicated to use :)
require "openssl"
keypair = OpenSSL::PKey::RSA.new(2048)
File.open("/tmp/key.pem", "w+") do |f|
f.write ca_keypair.to_pem(OpenSSL::Cipher.new("AES-128-CBC"), "my passphrase")
end
cert = OpenSSL::X509::Certificate.new
cert.not_before = Time.now
cert.subject = OpenSSL::X509::Name.new([
["C", "NO"],
["ST", "Oslo"],
["L", "Oslo"],
["CN", "August Lilleaas"]
])
cert.issuer = cert.subject
cert.not_after = Time.now + 1000000000 # 40 or so years
cert.public_key = keypair.public_key
File.open("/tmp/cert.pem", "w+") do |f|
f.write cert.to_pem
end
Related
I am performing Passive Authentication of passport chip using jmrtd.
I am able to verify signature using DSC(Digital Singing Certificate).
But I am not able to verify DSC using CSC (Country Signing Certificate).
Please provide some approach, thanks in advance.
Probably way too late for you, but in case anyone else runs in to this :)
To do that you basically need to create a trust store with the CSCs. Basically they are just certificate authorities and needs to be treated as such.
First step is to create a PKCS12 containing all the CSCs you want/need, this for some reason can't be done using OpenSSL, but fortunately keytool is your friend: keytool importing multiple certificates in single file
Next up is creating a trust store, e.g., by following this example: https://stackoverflow.com/a/6379434/1441857
The keystore needed for the step above is created as follows:
private KeyStore createStore(InputStream pkcs12Stream) {
final KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(pkcs12Stream, "password".toCharArray());
return keyStore;
}
finally you can simply validate by using your trustmanager(s) (there's actually just one, as expected), following the first answer I linked. The authType parameter seems to be "RSA_EXPORT", haven't figured why yet.
I think that should do the trick :)
I'm noob with SSL.
I have implemented SSL with cerbot/letscrypt [nginx/Ubuntu 14.04]. I had also done public key SSL pinning on the android app. Everything is in production and working fine.
But once the certificate expires i want to renew certificate with the same key to prevent any forceful app update.
Please let me know is there any way i can work around.
Thank You in advance.
I am looking for the same type of solution for Traefik, and as I mention in my question I think it's possible for Certbot, at least from reading their --help.
So if you run:
docker run --rm -it certbot/certbot --help all
You will find:
--reuse-key When renewing, use the same private key as the existing certificate. (default: False)
I have a custom SSL Root CA for the web and I want to be able to install it on android devices. If I download it it says "No certificate to install". How can I configure the certificate to work using openSSL or another tool? I have done some googling and some sites say that I should covert it to a .pfx but this involves giving the user my private key and ruining the security.
If you want to add your certificate to Android KeyChain (it is possible since ICS) you need to provide X509Certificate (.crt, .pem, etc) or PKCS12 (.pfx) file.
You have to call install intent from KeyChain class.
According to documentation: http://developer.android.com/reference/android/security/KeyChain.html#createInstallIntent()
Returns an Intent that can be used for credential installation. The
intent may be used without any extras, in which case the user will be
able to install credentials from their own source.
Alternatively, EXTRA_CERTIFICATE or EXTRA_PKCS12 maybe used to specify
the bytes of an X.509 certificate or a PKCS#12 key store for
installation. These extras may be combined with EXTRA_NAME to provide
a default alias name for credentials being installed.
When used with startActivityForResult(Intent, int), RESULT_OK will be
returned if a credential was successfully installed, otherwise
RESULT_CANCELED will be returned.
However
In my opinion what you really want to do is to include your X509Certificate along with your application so you can estabilish secure SSL connection without user knowledge which will work on all devices.
In order to do that, you will have to create put your X509Certificate in application (as PEM string, .crt file .der file or inside BouncyCastle KeyStore) and initialize SSLContext with it. After you do that you can get SSLSocketFactory which you can use with you http client.
More information about that:
https://developer.android.com/training/articles/security-ssl.html
I am developing an enterprise communications app to run on Android 4.0+. This app has a native transport layer written in c/c++ which manages the SSL connections with a SIP server. The native layer uses openSSL libraries for the SSL connection.
I need to implement validation of the server certificate when the app opens an SSL connection. This includes validating the certificate chain against available root CA certificates and hostname validation. My problem is that there is no access (that I am aware of) to Androids trust store CA certificates. By this, I mean the built-in certificates (e.g. Verisign) and user installed trusted CAs.
Therefore, I am pretty sure what I have to do is pass the certificate chain up to the java code (this is implemented and working) so that I can use the java security APIs. Essentially, what I have to start with is an array of certificates (the chain received from the server) in PEM format (could be DER, if that was better).
I understand how I can convert the chain into Certificate objects and the Certificate objects into a CertPath object. It looks like one can then use the CertPathValidator to validate the CertPath. Am I on the right track? The point at which I am hung up here is that CertPathValidator.validate(cp,params) takes a PKIXParameters object. This, in turn, seems to need either a keystore or a Set of TrustAnchors. I assume that the keystore or set of TrustAnchors represents the trusted root CAs that are to be used to validate cp (the CertPath), correct? If so, how/where do I get the input parameters for the PKIXParameters constructor?
On another tack, I just started looking into whether a TrustManager could/should be used to validate the server certificate. I think I understand how TrustManagers fit in and are used when working with an HTTPSUrlConnection, but it is not clear how I might do this when all I start with is my array of PEM certificates.
Can someone point me in the correct direction?
Thanks,
Ken
I am after a solution which would enable me to use the in-build keystore and StrictHostnameVerifier but would allow me to obtain the X590CertificateChain (either once connected or post handshake) so I can perform some additional checks (specifically I want to verify the root public key is the one I expected).
The examples I have investigated are mainly around overriding the behaviour (i.e. by replacing the socket factory or hostname checker with ones which don't do anything) and I am struggling with the differences between the android and other java implementations.
The reason I don't want to bundle a keystore (aside from having to use bouncycastle instead of jks) is that I don't want to package the intermediate CA cert with the app as this will create a certificate management problem sooner.
Many thanks in advance for any comments.
Ideally, this should be done at runtime. Bundling the certificate might be redundant as well, when some devices might already have that certificate installed.
Normally, your approach should be this.
Try connecting to the server.
If certificate is not installed, you will get a certificate exception. Catch it, extract the public certificate, save it, by creating a keystore on the fly.
While making new connections, use this keystore to initialize your SSL context.