如何信任Android上的自签名证书? [英] How to trust self signed certificate on Android?
问题描述
我已经为服务器生成了自签名证书. 然后通过设置->安全->安装将其添加到Android.
I have generated self signed certificate for my server. Then added it to Android with Settings -> Security -> Install.
当我尝试从应用程序连接到服务器时,出现错误:
When I'm trying to connect to my server from the application I'm getting error:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
据我了解,在将证书添加到受信任证书列表后,它应该可以正常工作.我想念什么吗? 想法是通过Android系统添加证书,而无需修改应用程序代码.
As I understand after I've added certificate to list of trusted ones it should work fine. Am I missing something? The idea is to add certificate through Android system without modifying application code.
顺便说一句,我正在使用OkHttpClient进行网络连接.也许我应该为https连接启用某些功能?
Btw I'm using OkHttpClient for network connection. Maybe I should enable something for https connection?
推荐答案
对于Android来说很重要的一点是,当您生成自签名证书时,请将其标记为认证机构",以使其能够对证书进行认证-甚至如果只是要自己签名并证明自己就是自己.
It is important to Android that when you generate your self-signed certificate, you mark it as a Certifying Agency in order to empower it to certify certificates -- even if only to sign itself and so certify that it is itself.
这是在basicConstraints扩展名中完成的,声明为CA:TRUE而不是默认的CA:FALSE.导入如此标记的证书时,Android会将其视为用户安装的根证书,并且您应该能够在凭据存储> 受信任的凭据>
This is done in the basicConstraints extension, declaring CA:TRUE instead of the default CA:FALSE. When you import a certificate so marked, Android will consider it a user-installed root certificate, and you should be able to see it under Credential storage > Trusted credentials > USER.
但是,具有此位的证书具有强大的功能,过去,这类工具已被恶意工具用来监视可能被加密的用户通信.因此,这些天来,当此类CA证书生效时,Google Play Protect希望与用户保持联系.
However, a certificate having this bit is a mighty power, and such certificates have been used by nefarious tools to spy on supposedly encrypted user communication in the past. Accordingly, these days, Google Play Protect will want to have a word with the user when this kind of CA certificate is in force.
这篇关于如何信任Android上的自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
