2

I'm using following method to implement SSL Certification in both java and android app but in many post I saw its not secure and only suitable for testing purposes. so can someone give me a example about implement SSL Certification for a production environment.?

TrustStrategy easyStrategy = new TrustStrategy() {
                @Override
                public boolean isTrusted(X509Certificate[] chain, String authType)
                        throws CertificateException {
                    // eh, why not?
                    return true;
                }
            };

            SchemeRegistry schemeRegistry = new SchemeRegistry();
            SSLContext sslcontext = SSLContext.getInstance("TLS");
            sslcontext.init(null, null, null);
            SSLSocketFactory ssf = new SSLSocketFactory(easyStrategy);
            ssf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

UPDATE : I found out the server I'm trying to access is issuing a self signed certificate when I connect to it through a web browser. here is the openssl output I got:

verify error:num=18:self signed certificate

and it also gives a lengthy code that it says server certificate. can I use it to create my own certificate and use it inside my applications.?

SajithRu
  • 225
  • 1
  • 8
  • 24
  • http://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android I hope to help you. – d.danailov Sep 03 '13 at 04:47
  • I want a solution not only for android but both desktop application and android. this seems like it I'll look through it and let you know. thank you :) – SajithRu Sep 03 '13 at 04:56
  • This is not 'implementing SSL certification'. This is just accepting any old certificate whatsoever. It is radically insecure. Please define your *actual* problem. Whatever it is, this is not an acceptable solution beyond testing purposes, and in my opinion not even then. – user207421 Sep 03 '13 at 05:22
  • @EJP yes I found its insecure way. I want to make HTTP Restrequests to a web server. Its issuing its own Certification as I understand. So I don't know a way to use it in my application. so I used above method for testing. Now i need to know a secure method to do SSL Certification inside my application. – SajithRu Sep 03 '13 at 06:38
  • Import the certificate into your truststore. – user207421 Sep 03 '13 at 10:03
  • Can I do it using openssl.? I'm really beginner to openssl tool. I even found out about using openssl from this answer [here](http://stackoverflow.com/a/6378872/2228502). – SajithRu Sep 03 '13 at 10:16
  • You can do it with the Java keytool. – user207421 Sep 03 '13 at 22:48

1 Answers1

1

If I understand your question correctly, you want a SSL certification for a production environment.

For this purpose, you cannot use the self-signed certification, which is the one you generate yourself. What you need is to buy a certification that is provided by some secure orgnizations.

If you just want to try it out, you can apply for a free trial SSL certification at Comodo. This works the same as the one you can buy, but it is only valid for 3 month.

I don't know which server are you running, but after you get the certification, you just need to upload it to your server. I think this part you can easily find online.

noname
  • 369
  • 3
  • 14