0

I am developing an android application which can connect with multiple node server. This connection needs to be secure so i need certificates. But i cant pay to certificates. As my researches, i will create certificates for each server and sign them with my own root certificate(I also need that). Then i will pin root certificate into my android application. So i can connect multiple server from one android app. But i dont know to create this certificates and how to pin it into android application.

ekilic
  • 83
  • 8
  • Are you asking about SSL certificatess? – pedrofb May 30 '16 at 16:09
  • Yes. I need to create certificates. I am using windows. I found a tool which can creates and manages certificates but it didnt worked. I tried with chrome and i got error. I also read that i need bks keystore for android. I didnt understand how to create it. – ekilic Jun 09 '16 at 11:30
  • If you do not want to deal with certificate generation and truststores, I suggest you to use a trusted authority. Try https://letsencrypt.org/. It is free. If you prefer to use your own certificates, search in SO how to do it, and how to configure your specific server. This question is big – pedrofb Jun 09 '16 at 11:45
  • My endpoints wont have domain names. Think like a router. I am developing a device like router and users can use it via static ip or dynamic dns or locally. As i know i cant do it with CA. – ekilic Jun 11 '16 at 06:50
  • A CA can generate a certificate bound to an IP, but it is not usual. I agree in this case it is more appropriate to use self-generated certificates. You need 1) Create the SSL certificate 2) Configure your server 3) add the public key and the chain of the certificate to the truststore of the android application. I can point your with some useful links – pedrofb Jun 11 '16 at 17:43
  • That would be really nice if you share links with me – ekilic Jun 19 '16 at 21:59

1 Answers1

1

A CA can generate a certificate bound to an IP, but it is not usual. I agree in this case it is more appropriate to use self-generated certificates. You need

1) Create the CA certificate and SSL certificate

Extracted from here You will need openssl

Create the CA certificate

openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

This will start an interactive script which will ask you for various bits of information. You will get rootCA.pem

Create one certificate for each device

 openssl genrsa -out device.key 2048
 openssl req -new -key device.key -out device.csr      
 openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256

You’ll be asked various questions (Country, State/Province, etc.) in the second step insert in 'common name' the IP or name of your device. It is important to match the real name because browser or android device will validate it

2) Configure your nodejs server to use https I have no enough knowledge of node.js to provide you a good explanation or a link, so use the official documentation. Maybe some reader could edit this and provide a link

3) add the public key and the chain of the certificate to the truststore of the android application.

Extracted here from

You will need

1) Get the public part of your CA certificate

2) Create a BKS keystore and import the certificate (only the root will be needed)

3) Use the keystore in your app. Create a Custom Apache HTTP client which uses your keystore to configure de SSL connection

The details are in the link, that is in the community wiki.

For Android Volley. Using Android Volley With Self-Signed SSL Certificate

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • I have some questions about second step. When creating certificate, if i enter public ip of my device, can i access it from my local network with private ip like (192.168.1.1). I wanna access this device with public and private address together. Is it possible? And i didnt understand the term of device name. Are you talking about hostname? – ekilic Jun 22 '16 at 17:28
  • 1
    I wanted to say hostname. If you set the common name(hostname) of the certificate to an IP, then it will only be valid for that IP. If you want to use private and public access you need two certificates and two endpoint, or use a DNS name instead of ip address – pedrofb Jun 22 '16 at 18:32
  • Yes, I am thinking to use dynamic dns. So i dont need to pay fee for static address for my endpoints. But if i use it, i cant use my endpoints locally without internet connection. If ssl gives an option for multiple common name or not checking common name, that would solve my problem. – ekilic Jun 22 '16 at 19:03
  • 1
    A certificate can have a unique hostname (ip or name). There are also wildcard certificates that can serve multiple domains: * .mydomain.com. In your case, I think you could also customize the Android `HostnameVerifier` to support your specific hostnames – pedrofb Jun 23 '16 at 10:33