问题描述
我已经创建了自己的 CA 证书,现在我想将它安装在我的 Android Froyo 设备 (HTC Desire Z) 上,以便设备信任我的证书.
I have created my own CA certificate and now I want to install it on my Android Froyo device (HTC Desire Z), so that the device trusts my certificate.
Android 将 CA 证书存储在 /system/etc/security/cacerts.bks
中的 Java 密钥库中.我将文件复制到我的计算机,使用 portecle 1.5 添加了我的证书,然后将其推送回设备.
Android stores CA certificates in its Java keystore in /system/etc/security/cacerts.bks
. I copied the file to my computer, added my certificate using portecle 1.5 and pushed it back to the device.
现在,Android 似乎不会自动重新加载文件.我在几篇博客文章中读到我需要重新启动设备.这样做会导致文件再次被原始文件覆盖.
Now, Android does not seem to reload the file automatically. I have read in several blog posts that I need to restart the device. Doing so results in the file being overwritten with the original one again.
我的下一次尝试是通过复制并使用设置菜单中的相应选项从 SD 卡安装证书.设备告诉我证书已安装,但显然它不信任该证书.而且,当我尝试将密钥库复制到我的计算机时,我仍然找到原始库存cacerts.bks
.
My next try was to install the certificate from SD card by copying it and using the according option from the settings menu. The device tells me that the certificate has been installed, but apparently it does not trust the certificate. Moreover, when I try to copy the keystore to my computer, I still find the original stock cacerts.bks
.
那么,在 Android 2.2 设备上安装我自己的根 CA 证书作为受信任证书的正确方法是什么?有没有办法以编程方式做到这一点?
So, what is the right way to install my own root CA certificate on an Android 2.2 device as a trusted certificate? Is there a way to do it programmatically?
推荐答案
在使用 Android KitKat 之前,您必须对设备进行 root 以安装新证书.
Prior to Android KitKat you have to root your device to install new certificates.
从 Android KitKat (4.0) 到 Nougat (7.0),一切皆有可能且简单.我能够在我的无根设备上安装 Charles Web Debbuging Proxy 证书并成功嗅探 SSL 流量.
From Android KitKat (4.0) up to Nougat (7.0) it's possible and easy. I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic.
从 http://wiki.cacert.org/FAQ/ImportRootCert 中提取
Android 4.0 之前,Android 版本 Gingerbread &Froyo,有一个只读文件 (/system/etc/security/cacerts.bks ) 包含信任库,其中包含 Android 上默认信任的所有 CA(系统")证书.系统应用程序和所有使用 Android SDK 开发的应用程序都使用它.使用这些关于在 Android Gingerbread、Froyo 上安装 CAcert 证书的说明......
从 Android 4.0(Android ICS/'Ice Cream Sandwich'、Android 4.3 'Jelly Bean' & Android 4.4 'KitKat')开始,系统可信证书位于(只读)系统分区中的文件夹 '/system/etc/security/' 作为单独的文件.但是,用户现在可以轻松添加自己的用户"证书,这些证书将存储在/data/misc/keychain/certs- added"中.
Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.
系统安装的证书可以在 Android 设备上的设置 -> 安全 -> 证书 -> '系统'-部分进行管理,而用户信任的证书则在那里的用户"部分进行管理.当使用用户信任的证书时,Android 将强制 Android 设备的用户实施额外的安全措施:当使用用户提供的证书时,必须使用 PIN 码、图案锁或密码来解锁设备.
System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.
将 CAcert 证书安装为用户信任"证书非常简单.将新证书安装为系统受信任"证书需要更多工作(并且需要 root 访问权限),但它的优点是避免了 Android 锁屏要求.
Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.
从 Android N 开始它变得更难了,请参阅 查尔斯代理网站:
From Android N onwards it gets a littler harder, see this extract from the Charles proxy website:
从 Android N 开始,您需要向您的应用添加配置才能让它信任由 Charles SSL Proxying 生成的 SSL 证书.这意味着您只能将 SSL 代理与您自己的应用程序一起使用控制.
为了将您的应用配置为信任 Charles,您需要添加一个网络安全配置文件到您的应用程序.这个文件可以覆盖系统默认值,使您的应用能够信任已安装的用户CA 证书(例如 Charles Root 证书).您可以指定这仅适用于您的应用程序的调试版本,以便生产版本使用默认信任配置文件.
In order to configure your app to trust Charles, you need to add a Network Security Configuration File to your app. This file can override the system default, enabling your app to trust user installed CA certificates (e.g. the Charles Root Certificate). You can specify that this only applies in debug builds of your application, so that production builds use the default trust profile.
将文件 res/xml/network_security_config.xml 添加到您的应用:
Add a file res/xml/network_security_config.xml to your app:
<network-security-config>
<debug-overrides>
<trust-anchors>
<!-- Trust user added CAs while debuggable only -->
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
然后在您的应用清单中添加对此文件的引用,如下所示:
Then add a reference to this file in your app's manifest, as follows:
<?xml version="1.0" encoding="utf-8"?>
<manifest>
<application android:networkSecurityConfig="@xml/network_security_config">
</application>
</manifest>
这篇关于如何在 Android 设备上安装可信 CA 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!