在公钥基础结构中颁发证书的一般过程大致如下:
客户生成私钥和公钥
客户端生成一个CSR(证书签名请求),其中包括诸如Common Name和Public Key之类的属性。使用私钥对其进行签名并将其发送到服务器
服务器使用CSR数据构建X509证书,使用CA私钥对其进行签名,然后将X509返回给客户端
客户端将私钥和证书存储在KeyStore中
CA生成什么?
x509证书
什么是P12文件
包含密钥库的PKCS#12格式(.pfx或.p12)的文件
什么是.cer文件包含
DER或PEM格式的证书的公共部分(非私钥)
编辑-Android上的CSR生成
Gradle依赖
compile 'com.madgag.spongycastle:core:1.51.0.0'compile 'com.madgag.spongycastle:pkix:1.51.0.0'
生成KeyPair和CSR
//Generate KeyPairKeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");keyGen.initialize(KEY_SIZE, new SecureRandom());KeyPair keyPair = keyGen.generateKeyPair();//Generate CSR in PKCS#10 format enpred in DERPKCS10CertificationRequest csr = CsrHelper.generateCSR(keyPair, commonname);byte CSRder[] = csr.getEnpred();实用工具
public class CsrHelper { private final static String DEFAULT_SIGNATURE_ALGORITHM = "SHA256withRSA"; private final static String CN_PATTERN = "CN=%s, O=Aralink, OU=OrgUnit"; private static class JCESigner implements ContentSigner { private static Map<String, AlgorithmIdentifier> ALGOS = new HashMap<String, AlgorithmIdentifier>(); static { ALGOS.put("SHA256withRSA".toLowerCase(), new AlgorithmIdentifier( new ASN1ObjectIdentifier("1.2.840.113549.1.1.11"))); ALGOS.put("SHA1withRSA".toLowerCase(), new AlgorithmIdentifier( new ASN1ObjectIdentifier("1.2.840.113549.1.1.5"))); } private String mAlgo; private Signature signature; private ByteArrayOutputStream outputStream; public JCESigner(PrivateKey privateKey, String sigAlgo) { //Utils.throwIfNull(privateKey, sigAlgo); mAlgo = sigAlgo.toLowerCase(); try { this.outputStream = new ByteArrayOutputStream(); this.signature = Signature.getInstance(sigAlgo); this.signature.initSign(privateKey); } catch (GeneralSecurityException gse) { throw new IllegalArgumentException(gse.getMessage()); } } @Override public AlgorithmIdentifier getAlgorithmIdentifier() { AlgorithmIdentifier id = ALGOS.get(mAlgo); if (id == null) { throw new IllegalArgumentException("Does not support algo: " + mAlgo); } return id; } @Override public OutputStream getOutputStream() { return outputStream; } @Override public byte[] getSignature() { try { signature.update(outputStream.toByteArray()); return signature.sign(); } catch (GeneralSecurityException gse) { gse.printStackTrace(); return null; } } }//Create the certificate signing request (CSR) from private and public keyspublic static PKCS10CertificationRequest generateCSR(KeyPair keyPair, String cn) throws IOException, OperatorCreationException { String principal = String.format(CN_PATTERN, cn); ContentSigner signer = new JCESigner (keyPair.getPrivate(),DEFAULT_SIGNATURE_ALGORITHM); PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder( new X500Name(principal), keyPair.getPublic()); ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator(); extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints( true)); csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate()); PKCS10CertificationRequest csr = csrBuilder.build(signer); return csr; }}
