Diy SSL CA + android

From HeepyWiki
Jump to navigation Jump to search

Creating a CA

You can create a CA and use it to sign certs for use by other services, so that you can add that CA to phone, laptop, etc and have them not complain about self-signed certs.

Generate the root CA key

openssl genrsa -out rootCA.key 4096 -aes-256-cbc

Generate the (self-signed) root CA cert: (-nodes means without password encryption, omit if this is not what you want)

openssl req -x509 -new -nodes -key rootCA.key -days 10240 -out rootCA.pem

Creating certs and keys for services

Create a signing request:

openssl req -new -key myserver.key -out myserver.csr

Use the root CA cert to sign the CSR and generate the server cert.

openssl x509 -req -in myserver.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial -out myserver.crt -days 3650

Installing system-wide in rooted Android phones

get the hash of the root CA cert and append a ".0" - this is the filename the cert should be stored as.

openssl x509 -in rootCA.pem -subject_hash_old -noout

Copy rootCA.pem to this filename (eg, 87654321.0) and put it into /system/etc/security/cacerts/87654321.0 on the Android device.