Diy SSL CA + android

From HeepyWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Creating a CA

You can create a CA and use it to sign certs for use by other services, so that you can add that CA to phone, laptop, etc and have them not complain about self-signed certs.

Generate the root CA key 

openssl genrsa -out rootCA.key 4096 -aes-256-cbc

Generate the (self-signed) root CA cert: (-nodes means without password encryption, omit if this is not what you want) 

openssl req -x509 -new -nodes -key rootCA.key -days 10240 -out rootCA.pem

Creating certs and keys for services

Create a signing request: 

openssl req -new -key myserver.key -out myserver.csr

Use the root CA cert to sign the CSR and generate the server cert. 

openssl x509 -req -in myserver.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial -out myserver.crt -days 3650

Installing system-wide in rooted Android phones

get the hash of the root CA cert and append a ".0" - this is the filename the cert should be stored as. 

openssl x509 -in rootCA.pem -subject_hash_old -noout

Copy rootCA.pem to this filename (eg, 87654321.0) and put it into /system/etc/security/cacerts/87654321.0 on the Android device.

Retrieved from "https://www.heepy.net/index.php?title=Diy_SSL_CA_%2B_android&oldid=1333"