Reputation: 7106
How to trust all my self-signed certificates in my app
I have an Android app that communicates with my host server. The app and the server communicates thru SSL. Every year, I have to renew the (self-signed) certificate in the host server. Every time that cert expires, I have to update my Android app accordingly by creating my own TrustManager and trusting the new certificate directly. This is working perfectly.
The thing is, I don't want to modify my Android app every time my cert expires. So the question is, how do I trust all the self-signed certificates that I issue? Again, only the self-signed certificates from me.
These are the restrictions:
- Only self-signed certs can be used
- I can only create new certs valid for 12 months max
This is how I generate the cert:
openssl req -newkey rsa:4096 \
-x509 \
-sha256 \
-days 365 \
-nodes \
-out selfSignedCert.crt \
-keyout newPrivate.key
Would appreciate your help.
Upvotes: 3
Views: 2022
Answers (2)
Reputation: 1122
Create a CA cert with 10 years validity. Sign the server cert with CA cert. Server cert should have 1 year or less validity. In your application include the CA cert and add it in your custom TrustManager. Now you only need to release new app every 10 years when CA cert expires. Your TrustManager should accept all certs which are signed by your CA cert.
Details steps : 1. Create the CA key
sudo openssl genrsa -out CA/rocketCA.key 1024
- Create a CA certificate Request
openssl req -new -key CA/rocketCA.key -out CA/rocketCA.csr
- Self sign the CA certificate
sudo openssl x509 -req -days 3650 -in CA/rocketCA.csr -out CA/rocketCA.crt -signkey CA/rocketCA.key
- Verify the CA certificate contents
openssl x509 -in CA/hitenCA.crt -text
- create the web server private key using a fully qualified DNS name such as rocket.example.com OR use IPAddress. When prompted for the pass phrase, enter a password that you can remember.
sudo openssl genrsa -des3 -out server/keys/rocket.example.com.key 1024
- create the web server certificate request using the same fully qualified DNS name/IP you used for the private key
openssl req -new -key server/keys/rocket.example.com.key -out server/requests/rocket.example.com.csr
- sign the web server certificate with the CA key
sudo openssl ca -days 3650 -in server/requests/rocket.example.com.csr -cert CA/rocketCA.crt -keyfile CA/rocketCA.key -out server/certificates/rocket.example.com.crt
- To verify the web server certificate contents, use the following command
openssl x509 -in server/certificates/rocket.example.com.crt -text
Key values to look for are:
Subject CN=rocket.example.com
Issuer CN=rocketCA
Reference for detailed steps : (You do not need the Mutual Auth part)
Upvotes: 6
Reputation: 123591
First, it is unclear why exactly you have a limit of one year and how exactly you issue a new certificate and why you are restricted to self-signed certificates only. But the common way to do a pinning/trusting which still works with a renewed certificate is to pin against the public key of the certificate and not against the certificate itself. Then make sure that the key stays the same when renewing the certificate.
Upvotes: 3
Related Questions
- How to trust self signed certificate on Android?
- Android - Obtain self-signed server certificate and add to trusted keystore
- Accept Self-Signed Certificates in Android Studio Java Code
- How to add a certificate to the Android trust store?
- How to programmatically add certificates to a truststore and use that also for verifying server authentication
- Untrusted SSL certificate - Custom keystore issues
- Android app SSL issue when trusting self signed certificate
- Android self signed certificate: Trust anchor for certification path not found
- Android application with SSL
- Trust all certificates? X509Certificate