编程知识 cdmana.com

Xamarin Android uses self signed certificates

background

Project background web Service deployment into https The service , Need to use SSL certificate , If we don't use public CA when , What do I do ?

More Than This , Because it's a small project ,App The application is mainly used in a small range , At this time only IP Address , There is no domain name at all , What do I do ?

Here is my solution !

Environmental Science

  • Background services

    IIS managed Asp .net web api service , Use https agreement

  • App And development environment

    Xamarin.Forms、VS2019

  • OpenSSL

    Version is OpenSSL 1.1.1g, The best version should be greater than or equal to the version listed here , This is because you can set... Directly on the command line subjectAltName Extended information , This is the key , It will be mentioned later !

Method

Generate Certificate

Here's what happens 10.0.20.11 The address should be replaced with the actual project web Server address

Use openssl Execute the following command to generate x509 Format ca certificate

 openssl req -x509 -nodes -days 365 -addext "subjectAltName = IP:10.0.20.11" -newkey rsa:2048 -keyout test.key -out test.cer 

here -addext "subjectAltName = IP:10.0.20.11" This parameter is very important , Because our domain name , stay app In, we directly through the server ip Address the address of the provider , If you don't have this at this time subjectAltName This extension configuration ,Android stay ca Certificate Authentication , Will prompt Hostname 10.0.20.11 was not verified error .

Then attribute the necessary information generated by the certificate :

# openssl req -x509 -nodes -days 365 -addext "subjectAltName = IP:10.0.20.11" -newkey rsa:2048 -keyout test.key -out test.cer     
Generating a RSA private key                                                                                                      
.......................................................+++++                                                                      
......+++++                                                                                                                       
writing new private key to 'test.key'                                                                                             
-----                                                                                                                             
You are about to be asked to enter information that will be incorporated                                                          
into your certificate request.                                                                                                    
What you are about to enter is what is called a Distinguished Name or a DN.                                                       
There are quite a few fields but you can leave some blank                                                                         
For some fields there will be a default value,                                                                                    
If you enter '.', the field will be left blank.                                                                                   
-----                                                                                                                             
Country Name (2 letter code) [AU]:CN                                                                                              
State or Province Name (full name) [Some-State]:JS                                                                                
Locality Name (eg, city) []:WX                                                                                                    
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test                                                                   
Organizational Unit Name (eg, section) []:Test                                                                                    
Common Name (e.g. server FQDN or YOUR name) []:10.0.20.11                                                                         
Email Address []:                                                                                                                 

among Common Name (e.g. server FQDN or YOUR name) []:10.0.20.11 The following is the server's IP Address ( If it's a domain name , Is the company's domain name )

The corresponding... Will be generated in the current directory key and cer Certificate file

Generate pfx file

pfx Is a digital certificate with a private key , Can pass IIS Import... From manager , Used as a server certificate .

Execute the following command :

# openssl.exe pkcs12 -export -in test.cer -inkey test.key -out test.pfx
Enter Export Password:
Verifying - Enter Export Password:

among test.cer Is a digital certificate , Including public key and other information ,test.key It's the private key , Two merge packages into test.pfx in .

If necessary pfx encryption , You can enter the password , No password applied here !

Import server certificate

open IIS Manager , Open the server certificate , Select import , Select the previously created pfx file , Just import !

image-20210929162907845

Certificate Application

Add a website , Binding type selection https, stay ssl Select the previously imported certificate from the certificate drop-down list

image-20210929163339899

Android Project configuration

Add the digital certificate to the certificate without Android resources

stay Resource Add... Under the file raw Folder , add to csr file , And select the generation operation as AndroidResource.

Configure the certificate as a trusted certificate

stay network_security_config.xml The file configuration is as follows :

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <domain-config>
    <!-- Release port -->
    <domain includeSubdomains="true">10.0.20.11</domain>
    <trust-anchors>
      <certificates src="@raw/test"/>
    </trust-anchors>
  </domain-config>
</network-security-config>

trust-anchors Medium certificates Reference the uploaded Certificate , Here is test.cer,domain Add a server to the IP that will do .

版权声明
本文为[Liuww06]所创,转载请带上原文链接,感谢
https://cdmana.com/2021/10/20211002145410638G.html

Scroll to Top