self-signed SSL certificate
The so-called self-signed certificate is a certificate issued by itself, so the subject of the certificate cannot be trusted.
Self will not be trusted by browsers. The certificate is not trusted, and it is necessary to manually confirm whether to trust the certificate, as shown in the figure below:
Since the self-signed certificate cannot be trusted, why are there still people using the self-signed certificate?
The main reasons are:
1) Self-signed certificates are free
2) Compared with applying for CA certificates, self-signed certificates have a simpler process
3) Self-signed certificates can also encrypt data
4) The validity period of self-signed certificates can be set very long, eliminating the need to Trouble with renewal
5) Self-signed certificates are more convenient for testing, for example, you can generate as many different server IPs as you want,
so it may be more convenient for some individual developers to use self-signed certificates, as long as you can accept others to browse your website pop-up reminder: not safe
CA signed SSL certificate
Compared with the self-signed certificate issued by itself, the signed certificate issued by the authoritative certificate authority (Certificate Authority), we call it: CA certificate The
CA certificate guarantees the identity of the certificate holder and the ownership of the public key.
The CA certificate is trusted, as shown below:
Six: Generation of self-signed SSL certificate
Although the self-signed certificate prompts: it is not safe. But there are still many benefits mentioned above, so let’s talk about the generation of self-signed certificates, mainly using the Java JDK: keytool.exe
1: First download and install Java JDK: http://www.oracle.com/ technetwork/java/javase/downloads/jdk8-downloads-2133151.html
2: After installation, find keytool.exe according to the actual path, such as mine here: C:\Program Files (x86)\Java\jdk1. 8.0_101\bin\keytool.exe
3: Generate keystore . Open the command line (cmd), go to the path where keytool is located, and run:
keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore d:\mykeystore\keystore.p12 -validity 3650 -ext san=ip:192.168.10.1 -dname “CN=myname, OU=mycompany, O=mycompany, L=gd, ST=gd, C=india”
In the middle of this command, you only need to enter the password to generate the keystore. The assumed password is: 123456
Among them:
1) The keystore can be understood as a database that can store many group data.
Each set of data mainly includes the following two types of data:
a: Key entity (Key entity) — key (secret key) or private key and paired public key (using asymmetric encryption)
b: Trusted certificate entity ( trusted certificate entries) — only contains the public key
2) -keystore d:\mykeystore\keystore.p12, specified in d:\mykeystore (first create this folder manually), generate keystore:keystore.p12
3) -alias tomcat , specify the unique alias in the keystore: tomcat, because there may be other aliases in the keystore, such as: tomcat 2
4) -storetype PKCS12 indicates that the keystore type is PKCS12
5) -keyalg RSA, specify the encryption algorithm , in this example, the general RAS encryption algorithm is used
6) -keysize 2048 specifies that the length of the key is 2048
7) -validity 3650 specifies that the validity period of the certificate is 3650 days
8) -ext san=ip:192.168.10.1 Please refer to your IP address setting of the server, if not set, the client may report an error when accessing
9) -dname “CN=myname, OU=mycompany, O=mycompany, L=gd, ST=gd, C=india”
Export the public key certificate (mainly for the client) :
Run the command:
keytool -export -keystore d:\mykeystore\keystore.p12 -alias tomcat -file mycer.cer -storepass 123456
Among them:
1) -keystore d:\mykeystore\keystore.p12 refers to the above keystore file
2) -alias tomcat is the group whose alias is specified as tomcat
3) -file mycer.cer specifies that the name mycer will be generated in the current directory. cer’s certificate
4) -storepass 123456 is the password used to generate the keystore above
Installing public key certificates based on okhttp
code explanation
There are a lot of codes, but the core code is:
that is, through
Set the file corresponding to your own certificate into it
then pass
Again
You can generate an okHttpClient with a trusted certificate installed
OkhttpManager is finished, next, it is:
Use OkhttpManager in Activity
1: First put the public key certificate file (such as: self-signed mycer.cer or CA certificate: *.pem) under assets.
If you use AndroidStudio, you may not have an assets folder. Create this folder yourself, such as Mine is: app\src\main\assets
2: Directly paste the main code of the Activity:
Simple, the main code is only those two sentences, and the mOkhttpClient with the installed public key certificate “mycer.cer” is generated
. Everyone should know how to use the next mOkhttpClient. If you are not clear, you can only look at the basic content of OkHttpClient.
Ok, OkHttpClient is done
Next is Retrofit
You should know that Retrofit uses OkHttpClient as the transmission by default. Now that OkHttpClient is fixed, Retrofit is simple. Let’s paste
the code directly:
Look, just add one more sentence in Retrofit
Use the mOkhttpClient with the installed certificate as the transmission of Retrofit
