由於客戶回報說要提供https的支援,因此開始Survey如何讓Android使用https的protocol和公司的產品溝通
首先就是要申請一張憑證進行測試,這裡老王賣瓜工商服務一下,可以找我之前的東家『網際威信-HiTRIST』進行申請
但由於我不只要測試Android平台,還需要讓iOS也能支援,而iOS卻有Root CA的限制,請參閱here
需要Apple trust的Root CA所認得的憑證鏈才能進行合法憑證測試,一般free的測試憑證都不在Apple的允許名單內
申請了幾家提供免費15~30天的測試憑證,目前知道的有台網(TWCA)所提供的免費測試的憑證是有在Apple的名單內
以下開始進入本篇主題,如何產置金鑰、CSR、取回憑證並進行apache設定與安裝:
先聲明以下作法原則上是適用於任何Web Server,但不同的Server有其自己提供的建置方式
以IIS來說,就有其更方便的產製方法,讀者可以自行google,這裡是以Apache的申請與建置為例
在開始之前,請先準備好keytool.exe與openssl.exe這兩支工具程式,keytool.exe可以在你裝的Java SDK底下的bin找到,而openssl.exe則可以在Apache安裝目錄下的bin找到
Step1. 產製金鑰
keytool.exe -genkey -alias key01 -keyalg RSA -keysize 2048 -keystore LearnHouse.keystore -storepass 12345678 -keypass 12345678
-genkey 產製金鑰
-alias 所產製金鑰的別名
-keyalg 指定採用的演算法
-keysize 指定金鑰對長度
-keystore 指定keystore 檔案名稱
-storepass 指定keystore 存取密碼
-keypass 設定金鑰存取密碼
Step2. 按如下畫面完成憑證申請資料填寫
Step3. 產製憑證請求檔CSR
keytool.exe -certreq -alias key01 -file cert.csr -keystore LearnHouse.keystore -storepass 12345678 -keypass 12345678
Step4. 將產生的cert.csr提交給申請的公司,接下來就等待憑證核發下來
Step5. 收到中繼憑證與伺服器憑證
Step6. 取出keystore的加密金鑰
keytool.exe -importkeystore -srckeystore LearnHouse.keystore -destkeystore intermediate.p12 -deststoretype PKCS12
openssl.exe pkcs12 -in intermediate.p12 -out extracted.pem -nodes
用記事本開啟extracted.pem,可能內容如下:
Bag Attributes friendlyName: key01 localKeyID: 54 69 6D 65 20 31 34 31 32 36 31 31 35 37 34 32 34 35 Key Attributes: <No Attributes> -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAkKX5H93/OpVmFwQ7ycZBlIMKAm/3qfdaWbMQnKIVpXcssCd3 REGrUZnBaCFxIhjkuWL4TgW4LYsYrttEVnb0+HT5fn6STMo3pGYUUxwnZ03wTlE9 xPW5zluasc8VWIPWcvlTFRo+UuYoCN1YXc9QHv0lwwuO5vSFsRRtfjsOU7BuKSPo 0QhCjW2ri/6CnJHgHb8YuGG/VPEj4l5bfpF4xgbray+knRsG3YSu9mvZCspUGEAt 2OoLFsetj1lVlE7qtSc9N2mdiZF82dcTfa9hy1UKDRfv4mz75H+V7Q37n8bvK1F/ OVn1J2YCqZL4SLcipgUQitoH6fQzPvALHBm47wIDAQABAoIBAA0/1rDvkbhZBO/o yF00Fr+2vQz6GpJsAM+kkkn2osr0PpioFMmgxkOENO4H2igIZbMBeMMUzQkG66zg ksLkxI2ZkVzf1SDJiQ06+HOgaY+R2Qgjcuf+phVb2LCeylLASL1hTxXowHqxcEtX kweMvMcJ4xKZlW5cSX6t41WjrS1HIXX6Cfxadhhn/F51wQgWIbKvDO7Jiz34Pw2T aeU9maOx8h4cvITMhFX/rQBX6HK5/BpxODV7XVSwiZDthQQd01DjhBgFKu0e3xVx BaVp5saYeVIlASV7DI5lGXP3mGp76ubAHS5WXOqeC6v9U09JapfOdaYBbbUzfVuS vliok1ECgYEA07/5P8C4gD+U5n4Ln+g6Mea80Q1m1YC9fQwnQYdCRvk1qp4BVSwz MmKpDfP5vbnzDZ+R9MRhrzGyWh5P9TItnl/ng5qgJZjq6QH6E42K8BxIBAHCCWIx 4B7Szs0+72bFUdQWsj6PBFvztwgf+c2uIy9BwtaiVmz9SPqxUDPb4FcCgYEAruBA 9yxaZrUhXJjW46ZDOE7xlE75SqeS66GdFshLBTkckqKrco7XUgxn7p+OF0eyRDFo Cyn1dChiHoqew/nInrxqSS0sR7IkKMpBQVZh7jrJ/RrjIR4Yepiy4fIBcC4TKwXR rs9mM5QCVs1fv414ONrkVZLSrcBLB9Eu/1X4rSkCgYEAkM6OE40mH35bw6ybIoXb llim84fotUVPUH7JMcTgDE1M6BsZ6jdJ48EYv1QDjD3n+38Of4b1Dqw7velQ4Oup ys7nMlbCAjQrIaGadVislTuh/Ct/mI8wcIZjv80YpvtvIWCbDNY/U8nWR2slAt4n oiQlIqtJZTUvmYLnU2PDkA0CgYBmRdC4vb/BAX2ZYemLCdmWPNUcH3O8LXTHSaVN haYaT+Rd/bS3MsLKwWanL7kx9ERVjW+D1+4tGNEJe5iOlK635wlh8oFLDOwIzwCK 7bIoWUl4NRlQbQFz8YnsilQ8/zVGnAida74hvBYCHeo5ZMtCtQGE6nE8HJHE6JnL ysO8wQKBgB27GuqiPP/Gw/PCeX8BJ+vZ/2TyK9ZeP3tGypDvrE7Ws0hvR6gTdjpj qoSccciGrTVUK/vzNHVBAnHcB02TG7RrFEHEQIKOfumZInTGUcI9avKLAeC2zqD0 UbFVDlIpqv4EZNtpQb2+JIAZUNK5031wh5Zgj/AvY+4AWawgjAGO -----END RSA PRIVATE KEY----- Bag Attributes friendlyName: key01 localKeyID: 54 69 6D 65 20 31 34 31 32 36 31 31 35 37 34 32 34 35 subject=/C=TW/ST=Taiwan/L=Tainan/O=LearnHouse/OU=SW/CN=learn-house.idv.tw issuer=/C=TW/ST=Taiwan/L=Tainan/O=LearnHouse/OU=SW/CN=learn-house.idv.tw -----BEGIN CERTIFICATE----- MIIDezCCAmOgAwIBAgIEBCzwYzANBgkqhkiG9w0BAQsFADBuMQswCQYDVQQGEwJU VzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWluYW4xEzARBgNVBAoTCkxl YXJuSG91c2UxCzAJBgNVBAsTAlNXMRswGQYDVQQDExJsZWFybi1ob3VzZS5pZHYu dHcwHhcNMTQxMDA2MTUyNjExWhcNMTUwMTA0MTUyNjExWjBuMQswCQYDVQQGEwJU VzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWluYW4xEzARBgNVBAoTCkxl YXJuSG91c2UxCzAJBgNVBAsTAlNXMRswGQYDVQQDExJsZWFybi1ob3VzZS5pZHYu dHcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQpfkf3f86lWYXBDvJ xkGUgwoCb/ep91pZsxCcohWldyywJ3dEQatRmcFoIXEiGOS5YvhOBbgtixiu20RW dvT4dPl+fpJMyjekZhRTHCdnTfBOUT3E9bnOW5qxzxVYg9Zy+VMVGj5S5igI3Vhd z1Ae/SXDC47m9IWxFG1+Ow5TsG4pI+jRCEKNbauL/oKckeAdvxi4Yb9U8SPiXlt+ kXjGButrL6SdGwbdhK72a9kKylQYQC3Y6gsWx62PWVWUTuq1Jz03aZ2JkXzZ1xN9 r2HLVQoNF+/ibPvkf5XtDfufxu8rUX85WfUnZgKpkvhItyKmBRCK2gfp9DM+8Asc GbjvAgMBAAGjITAfMB0GA1UdDgQWBBSUPceelS5BJM2UtgWC9kSl7WpQXDANBgkq hkiG9w0BAQsFAAOCAQEAg/62MBvWtF27863mPwjNGHzhE/SQprs6xMCTEYi0W2Rh ZymuKxLoict5lGeWSPIKzXrAKkm3vYGQxqw2Lxm+EORI8odNHi9ESpjmFJgaSlHh jC0RqvvrL5D7j0PH5HZOH/rImrHuPtJ21ek9pr9FpeEUuaFoAQay1WOO5ieQ+PKG r7j7Ny+t4TBi7opIbbWAJ8aJVf5dnFcKnHX7IUScb96ISW1Bp5LAGJYmWfWOTum2 Tce3Q1uMi8XkfM6KN3FdneKeU59A9esT5yt732CtkLo5AhqOH1hgn9A7eqOqNi06 9lB6LJg7AvNZ40YOo2obO2pdZ34yI5KXzr7+rdOJGQ== -----END CERTIFICATE-----
複製從-----BEGIN RSA PRIVATE KEY-----到-----END RSA PRIVATE KEY-----的字串到新開的記事本並貼上,儲存成Server.key
此即為加密金鑰。
Step7. 設定Apache修改httpd.conf
取消註解 #LoadModule ssl_module modules/mod_ssl.so
取消註解 #Include conf/extra/httpd-ssl.conf
Step8. 設定Apache修改httpd-ssl.conf
SSLCertificateFile "D:/certificate/server.crt" //伺服器憑證存放的路徑 SSLCertificateKeyFile "D:/certificate/server.key" //Step6所取出的金鑰 SSLCertificateChainFile "D:/certificate/CA_chain.cer" //中繼憑證
若提供的中繼憑證有兩張的話,可以將兩張併成一張,以台網為例:
用記事本各別開啟uca_1.cer與uca_2.cer,按順序貼完uca_1.cer後貼uca_2.cer,如下:
-----BEGIN CERTIFICATE----- MIIFHzCCBAegAwIBAgIQdMGHU/futOojjYQWtax2RjANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTEyMDcxMTAwMDAwMFoXDTIwMDUzMDEwNDgzOFow dDELMAkGA1UEBhMCVFcxFzAVBgNVBAoTDlRBSVdBTi1DQSBJTkMuMR4wHAYDVQQL ExVTU0wgU2VjdXJpdHkgU2VydmljZXMxLDAqBgNVBAMTI1RXQ0EgU2VjdXJlIENl cnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAvHXOioRPVNbPLf3u0gnQamkfsCrfY1Cq/y50ftrTwtM55HOkEdiMfHz5 Tcug6X8/om0UCRjw/ypVNnWu43OaAgjSIhrUM13bF2RB/Hwd7fiHEhjELBABgri8 HTyzR7kvvw8teHhwS7k922hwK1hW/RKi/wK1Y51CrSkU3ntRuSRBTp6oYntC54kU mLSlhaAvNqRNTXRPckFhAjpAL286Zr6UHGs3tM88S6UfUMMeUB0rQEADEnjw+6sS VJFqc2AhUItYKk13ocHP+YcOPjZiwAVFXuGe0b8/ow/eVf4sOoWoULpT39rncAOE /OP8nefZNcepEGd7kxbCpm/lvckrswIDAQABo4IBsDCCAawwHwYDVR0jBBgwFoAU rb2YejS0Jvf6xCZU7wO94CTLVBowHQYDVR0OBBYEFCP1OFDy3vR7Pu/9q6tRMQMN uPkdMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGA1UdJQQt MCsGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMBQG A1UdIAQNMAswCQYHYIEeAwEIBTBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3Js LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwgbMGCCsG AQUFBwEBBIGmMIGjMD8GCCsGAQUFBzAChjNodHRwOi8vY3J0LnVzZXJ0cnVzdC5j b20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5wN2MwOQYIKwYBBQUHMAKGLWh0dHA6 Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVzdFVUTlNHQ0NBLmNydDAlBggrBgEF BQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQUFAAOC AQEAoZQgPoyG1QrMh8fh0k0xsmHvnB5YX6a5hZlE9TRaRlw/YluhUTOI1MULwxwL D9+TY+aAYPuvXinQVPz4ICMLT02XAxDm5XhCU26B8jzdWRcPhgRaxNt246+ISrTi sIKs3AU0eZpE/GAsFO8TSnKof9m6ht/UhQeOXIzwOAjIXNKgH4rIBdzg4s7kNLf0 RStfSXixE9oD27b//NpiwbF4ozEgDYNBuYq6E/o4TTejtdVVPzUGsMsXzN8ANV78 wX2JUF8YQewUenOg4fwuxQJ9vsYg6i7a/B3Cp+xrC2+qGeOn/P1383RdvCPYvrG6 2km3U2zAxgp5LZKK+tKccPkDXQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEezCCA2OgAwIBAgIQftGpq77jb0bNa04pNJBW8zANBgkqhkiG9w0BAQUFADCB kzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xGzAZBgNVBAMTElVUTiAtIERBVEFDb3Jw IFNHQzAeFw05OTA2MjQxODU3MjFaFw0xOTA2MjQxOTA2MzBaMG8xCzAJBgNVBAYT AlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0 ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENB IFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC39xoz5vIABC05 4E5b7R+8bA/Ntfojts7emxEzl6QpTH2Tn71KvJPtAxrjj8/lbVBa1pcplFqAsEl6 2y6V/bjKvzc4LR4+kUGtcFbH8E8/6DKedMrIkFTpxl8PeJ2aQDwOrGGqXhSPnoeh alDc15pOrwWzpnGUnHGzUGAKxxOdOAeGAqjpqGkmGJCrTLBPI6s6T4TY386f4Wlv u9dC12tE5Met7m1BX3JacQg3s3llpFmglDf3AC8NwpJy2tA4ctsUqEXEXSp9t7TW xO6szRNEt8kr3UMAJfphuWlqWCMRt6czj1Z1WfXNKddGtworZbbTQm8Vsrh7++/p XVPVNFonAgMBAAGjge0wgeowHwYDVR0jBBgwFoAUUzLRs89/+uDxoF2FTpLSnkUd tE8wHQYDVR0OBBYEFK29mHo0tCb3+sQmVO8DveAky1QaMA4GA1UdDwEB/wQEAwIB BjAPBgNVHRMBAf8EBTADAQH/MBEGA1UdIAQKMAgwBgYEVR0gADA9BgNVHR8ENjA0 MDKgMKAuhixodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVROLURBVEFDb3JwU0dD LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADwlhyhsmL2dQhxeHmQPVn+W PPO582kaafSkCNQgTbHyYyfhnwFDN7CxeudxyHoh7qg1wZ3mvGizRoCaPQRyPC9I /eHMQncOsgU5pAD4NcKseMD9xxO8iyBNWjWvlMoysMZ50ZguO8JSRcGbtyYLywQa 9m6SROF8nMESeKYZAeLvYPt6V/MyKAa1uh2RGyhdZGpfU5wO1erMRb19RguvU0nG zIAYW1utsWITYE45WVHEpobL8Q1t3t0xC1+jB6D7PkaqSXMEfYoLsC9GYo7hvVBl KLHIdkr0IgMMVdT8DIdWfgtl74frfPclt80nTNs8CSlpF46LsEfo2mC3p2lm+ws= -----END CERTIFICATE-----
儲存成檔案CA_chain.cer,也就是說中繼憑證有兩張或兩張以上,只要遵守越上層先貼,就可以將憑證鏈串起來
Step9. 重啟Apache
重啟Apache原則上就能使用https連線,若沒成功,可以看一下啟動時的log錯誤訊息google,或者直接在本文下方提問
最後這裡有一篇大學好友寫的一篇建立自簽憑證(self-signed)的作法,寫得非常詳細,很值得沒有想要花錢買憑證的使用者參考。
Place your comment