通过 Windows 中的 OpenSSL 为我的 Android 应用程序创建带有自签名证书的 PKCS#12 文件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20445365/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Create PKCS#12 file with self-signed certificate via OpenSSL in Windows for my Android App
提问by Plo_Koon
I am writing an Android App that requires SSL certification for certain web requests. I need to build a PKCS12 file (.pfx) with Self-Signed Certificate.
我正在编写一个 Android 应用程序,它需要对某些 Web 请求进行 SSL 认证。我需要.pfx使用自签名证书构建一个 PKCS12 文件 ( )。
I decided to use OpenSSL library, but I could not build it on my computer (Windows x64 platform). I want to do it without ActivePerl installation. Who knows easy way to build it?
我决定使用 OpenSSL 库,但无法在我的计算机(Windows x64 平台)上构建它。我想在没有安装 ActivePerl 的情况下进行。谁知道构建它的简单方法?
I was trying to build a PKCS12 file with OpenSSL on my friends computer (with OpenSSL, Linux) but i get nothing. Can anyone help me, and to describe the sequence of actions to generate PKCS12 file with Private Key and Self-Signed Public Certificate?
我试图在我朋友的计算机(使用 OpenSSL、Linux)上使用 OpenSSL 构建一个 PKCS12 文件,但我什么也没得到。任何人都可以帮助我,并描述使用私钥和自签名公共证书生成 PKCS12 文件的操作顺序吗?
回答by Plo_Koon
The Win32 OpenSSL Installation Project is dedicated to providing a simple installation of OpenSSL. It is easy to set up and easy to use through the simple, effective installer. No need to compile anything or jump through any hoops, just click a few times and it is installed, leaving you to doing real work. You can get it here. In your case, you need Win64 OpenSSL v1.0.1eInstaller.
Win32 OpenSSL 安装项目致力于提供 OpenSSL 的简单安装。通过简单、有效的安装程序,它易于设置和使用。无需编译任何内容或跳过任何环节,只需单击几次即可安装,让您做真正的工作。你可以在这里得到它。在您的情况下,您需要Win64 OpenSSL v1.0.1e安装程序。
These instructions show how to generate a PKCS#12 private key and public certificate file that is suitable for use with HTTPS, FTPS. These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL.
这些说明显示了如何生成适用于 HTTPS、FTPS 的 PKCS#12 私钥和公共证书文件。这些说明假定您已经下载并安装了 OpenSSL 的 Windows 二进制分发版。
1.Generate an RSA private key:
1.生成RSA私钥:
>C:\Openssl\bin\openssl.exe genrsa -out <Key Filename> <Key Size>
>C:\Openssl\bin\openssl.exe genrsa -out <Key Filename> <Key Size>
Where:
在哪里:
<Key Filename>is the desired filename for the private key file
<Key Filename>是私钥文件所需的文件名
<Key Size>is the desired key length of either 1024, 2048, or 4096
<Key Size>是所需的密钥长度 1024、2048 或 4096
For example, type:
例如,键入:
>C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048.
>C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048.
2. Generate a Certificate Signing Request:
2. 生成证书签名请求:
In version 0.9.8h and later:
在 0.9.8h 及更高版本中:
>C:\Openssl\bin\openssl.exe req -new -key <Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cfg
>C:\Openssl\bin\openssl.exe req -new -key <Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cfg
Where:
在哪里:
<Key Filename>is the input filename of the previously generated private key
<Key Filename>是之前生成的私钥的输入文件名
<Request Filename>is the output filename of the certificate signing request
<Request Filename>是证书签名请求的输出文件名
For example, type:
例如,键入:
>C:\Openssl\bin\openssl.exe req -new -key my_key.key -out my_request.csr -config C:\Openssl\bin\openssl.cnf
>C:\Openssl\bin\openssl.exe req -new -key my_key.key -out my_request.csr -config C:\Openssl\bin\openssl.cnf
3. Follow the on-screen prompts for the required certificate request information.
3. 按照屏幕上的提示获取所需的证书请求信息。
4. Generate a self-signed public certificate based on the request:
4.根据请求生成自签名公共证书:
>C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in <Request Filename> -signkey <Key Filename> -out <Certificate Filename>
>C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in <Request Filename> -signkey <Key Filename> -out <Certificate Filename>
Where:
在哪里:
<Request Filename>is the input filename of the certificate signing request
<Request Filename>是证书签名请求的输入文件名
<Key Filename>is the input filename of the previously generated private key
<Key Filename>是之前生成的私钥的输入文件名
<Certificate Filename>is the output filename of the public certificate
<Certificate Filename>是公共证书的输出文件名
For example, type:
例如,键入:
>C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt
>C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt
5. Generate a PKCS#12 file:
5. 生成一个 PKCS#12 文件:
>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <Public Certificate Filename> -inkey <Private Key Filename> -out <PKCS#12 Filename> -name "<Display Name>"
>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <Public Certificate Filename> -inkey <Private Key Filename> -out <PKCS#12 Filename> -name "<Display Name>"
Where:
在哪里:
<Public Certificate Filename>is the input filename of the public certificate, in PEM format
<Public Certificate Filename>是公共证书的输入文件名,采用 PEM 格式
<Private Key Filename>is the input filename of the private key
<Private Key Filename>是私钥的输入文件名
<PKCS#12 Filename>is the output filename of the pkcs#12 format file
<PKCS#12 Filename>是pkcs#12格式文件的输出文件名
<Display Name>is the desired name that will sometimes be displayed in user interfaces.
<Display Name>是有时会在用户界面中显示的所需名称。
For example, type:
例如,键入:
>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name "my-name"
>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name "my-name"
6. (Optional) Delete unneeded files.
6. (可选)删除不需要的文件。
At this point, you only need the PKCS#12 format file, so you can delete the certificate signing request (.csr) file, the private key (.key) file, and the public certificate (.crt) file.
此时只需要PKCS#12格式的文件,即可删除证书签名请求( .csr)文件、私钥( .key)文件、公证书( .crt)文件。
The resulting PKCS#12 format file may now be used within Secure FTP Server - FIPS.
生成的 PKCS#12 格式文件现在可以在安全 FTP 服务器 - FIPS 中使用。
The resulting PKCS#12 format (.pfx) file may now be used with the Firefox browser ver 34.0.5.
生成的 PKCS#12 格式 (.pfx) 文件现在可以与 34.0.5 版的 Firefox 浏览器一起使用。
回答by Oliver Konig
I used the info at https://geekflare.com/openssl-commands-certificates/and was successful in just 2 steps:
我使用了https://geekflare.com/openssl-commands-certificates/ 上的信息,只需 2 个步骤就成功了:
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mypem.pem
openssl pkcs12 -export -out myp12.p12 -inkey mykey.key -in mypem.pem
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mypem.pem
openssl pkcs12 -export -out myp12.p12 -inkey mykey.key -in mypem.pem
回答by drew_w
If you look at this site "http://www.sslshopper.com/article-most-common-openssl-commands.html" it has most of the common commands you would be looking for. I had to do this recently for amazon associates program and found their site helpful as well (http://docs.aws.amazon.com/IAM/latest/UserGuide/InstallCert.html#SampleCert).Bythe way, you will need to install openssl to run this (see: http://slproweb.com/products/Win32OpenSSL.html).
如果您查看此站点“ http://www.sslshopper.com/article-most-common-openssl-commands.html”,它包含您要查找的大多数常用命令。我最近不得不为 amazon associates 计划做这件事,发现他们的网站也很有帮助(http://docs.aws.amazon.com/IAM/latest/UserGuide/InstallCert.html#SampleCert)。顺便说一下,你需要安装 openssl 来运行它(参见:http: //slproweb.com/products/Win32OpenSSL.html)。
