英文:
How to use SSL certificate in Spring-Boot and generating Public-key for android clients
问题
我从sslforFree.com获得了一个包含3个文件的证书:
1-ca_bundle.crt
2-certificate.crt
3-private.key
我可以配置我的Spring-Boot应用程序使用Java密钥工具创建的自签名证书,现在我的问题是如何使用这三个文件?我原以为应该只有一个文件,我可以将其放入我的密钥库中,但现在有3个文件,我不知道如何使用它们。
另一方面,我有Android应用作为客户端。它需要一个 .pem
文件作为证书,其中包含以下格式的公钥(我指的只是标签的值):
<pin-set>
<pin digest="SHA-256">k3XnEYQCK79AtL9GYnT/nyhsabas03V+bhRQYHQbpXU=</pin>
</pin-set>
那么如何生成符合此格式的包含公钥的 .pem
文件?
我已经搜索并找到了一些连接 .crt
和 .key
文件的命令,结果是 .pem
文件,但它包含一些Base64文本,其中包括文件开头和结尾处的内容:
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
xxxxx
-----END RSA PRIVATE KEY-----
如何为客户端创建公钥?
我是否需要将该 .pem
文件放入我的密钥库中?
任何帮助将不胜感激!!
英文:
I've got a certificate from sslforFree.com that it contains 3 files:
1-ca_bundle.crt
2-certificate.crt
3-private.key
I could config my Spring-Boot application with a self-signed certificate that was created by Java key tools, now my question is that how can I use these three files??
I expected that there should be just one file that I can put it into my Keystore, but now there are 3 files and I don't know how to use them.
On the other hand, I have android applications as a client. It needs to have a .pem
file as a certificate that contains a public-key as below format(I mean just the value of the tags):
<pin-set>
<pin digest="SHA-256">k3XnEYQCK79AtL9GYnT/nyhsabas03V+bhRQYHQbpXU=</pin>
</pin-set>
Now how can I generate .pem
file contains a public-key with this format?
I have searched and also found some commands to concatenate .crt
and .key
files and the result is .pem
but it contains some Base64 text that includes these at the start and the end of the file:
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
xxxxx
-----END RSA PRIVATE KEY-----
How can I create a public-key for clients?
And do I need to put that .pem
file into my Keystore??
Any help would be appreciated!!
答案1
得分: 1
你可以使用类似KeyStore Explorer的工具,它可以帮助您转换密钥库和证书的格式。或者您可以使用openssl命令行工具。
如果您从CA获取的文件是二进制的(不是文本),它们可能是DER编码,但如果需要的话,可以轻松转换为PEM(文本)编码。
对于Java服务器,您需要一个包含certificate.crt(包括来自private.key的私钥)的密钥库。您还应该有一个信任库,您可以在其中导入ca_bundle.crt。如今,Java密钥库的默认格式是PKCS#12。
英文:
You can use a tool like KeyStore explorer that could help you convert the keystore and certificate formats. Or you can use the openssl command line tool.
If the files you got from the CA are binary (not text), they are probably in the DER encoding, but they can be easily converted to PEM (text) encoding if needed.
For the Java server, you need a keystore that will contain the certificate.crt including the private key from private.key. And you should also have a truststore where you import the ca_bundle.crt. The default format for a Java keystore is nowadays PKCS#12.
答案2
得分: 1
你应该与使用自签名证书时所做的相同。
使用keytool将你的三个文件导入一个密钥库中。certificate.crt是一个包含带有认证数据的公钥的文件,ca_bundle.crt是一个包含认证机构的公钥的文件,这些认证机构对你的密钥进行了认证 - 这称为证书链,private.key是一个包含密钥对的私钥的文件(公钥是证书的一部分),用于在SSL连接的某个阶段加密数据。
服务器部分
在服务器端,你需要创建一个密钥库,其中包含你的私钥、你的证书(带有公钥)和证书链。在这里,你可以找到适合你情况的命令。
客户端部分
在客户端,你可以固定根到叶子证书/密钥的任何部分。固定到叶子密钥越近,解决方案就越安全。不足之处在于,叶子证书通常寿命较短,因此当您更新服务器证书时,您还必须升级客户端固定。
关于如何生成sha256摘要的良好指示可以在此StackOverflow答案中找到。
英文:
You should do the same as you were doing with selfsigned cert.
Import your three files into a keystore using keytool. certificate.crt is a file that holds your public key with certification data, ca_bundle.crt is a file that holds public keys of certification authorities which certified your key - this is called a certificate chain, private.key is a file holding the private key of a key pair (public key is a part of certificate) which is used in order to encrypt data on certain phase of SSL connection.
Server part
On server side you need to create a keystore that would incorporate your private key, your certificate (with public key) and certificate chain. Here you can find the command that fits your case.
Client part
At your client you can pin any certificate/key in root-to-leaf chain. The closer your pinned key to leaf the more secure solution you will get. The downside is that the leaf certificates normally have short lifetime so that when you renew server certificate you will have to upgrade the client pin as well.
Good instruction on how to generate sha256 digest can be found in this SO answer.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论