Project background web Service deployment into https The service , Need to use SSL certificate , If we don't use public CA when , What do I do ？
More Than This , Because it's a small project ,App The application is mainly used in a small range , At this time only IP Address , There is no domain name at all , What do I do ？
Here is my solution ！
IIS managed Asp .net web api service , Use https agreement
App And development environment
Version is OpenSSL 1.1.1g, The best version should be greater than or equal to the version listed here , This is because you can set... Directly on the command line subjectAltName Extended information , This is the key , It will be mentioned later ！
Here's what happens
10.0.20.11The address should be replaced with the actual project web Server address
Use openssl Execute the following command to generate x509 Format ca certificate
openssl req -x509 -nodes -days 365 -addext "subjectAltName = IP:10.0.20.11" -newkey rsa:2048 -keyout test.key -out test.cer
-addext "subjectAltName = IP:10.0.20.11" This parameter is very important , Because our domain name , stay app In, we directly through the server ip Address the address of the provider , If you don't have this at this time subjectAltName This extension configuration ,Android stay ca Certificate Authentication , Will prompt
Hostname 10.0.20.11 was not verified error .
Then attribute the necessary information generated by the certificate ：
# openssl req -x509 -nodes -days 365 -addext "subjectAltName = IP:10.0.20.11" -newkey rsa:2048 -keyout test.key -out test.cer Generating a RSA private key .......................................................+++++ ......+++++ writing new private key to 'test.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:JS Locality Name (eg, city) :WX Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test Organizational Unit Name (eg, section) :Test Common Name (e.g. server FQDN or YOUR name) :10.0.20.11 Email Address :
Common Name (e.g. server FQDN or YOUR name) :10.0.20.11 The following is the server's IP Address （ If it's a domain name , Is the company's domain name ）
The corresponding... Will be generated in the current directory key and cer Certificate file
Generate pfx file
pfx Is a digital certificate with a private key , Can pass IIS Import... From manager , Used as a server certificate .
Execute the following command ：
# openssl.exe pkcs12 -export -in test.cer -inkey test.key -out test.pfx Enter Export Password: Verifying - Enter Export Password:
among test.cer Is a digital certificate , Including public key and other information ,test.key It's the private key , Two merge packages into test.pfx in .
If necessary pfx encryption , You can enter the password , No password applied here ！
Import server certificate
open IIS Manager , Open the server certificate , Select import , Select the previously created pfx file , Just import ！
Add a website , Binding type selection https, stay ssl Select the previously imported certificate from the certificate drop-down list
Android Project configuration
Add the digital certificate to the certificate without Android resources
stay Resource Add... Under the file raw Folder , add to csr file , And select the generation operation as
Configure the certificate as a trusted certificate
network_security_config.xml The file configuration is as follows ：
<?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config> <!-- Release port --> <domain includeSubdomains="true">10.0.20.11</domain> <trust-anchors> <certificates src="@raw/test"/> </trust-anchors> </domain-config> </network-security-config>
certificates Reference the uploaded Certificate , Here is test.cer,
domain Add a server to the IP that will do .