安装不再适用于 Android Q 的自签名证书

Question

我已经生成了一个自签名证书，我尝试将其安装在运行 Android 10 的手机上，但是出现了一个零食告诉我Private key required to install certificate.

我已经在运行 Android 9 的手机上尝试过使用相同的证书，它按预期工作。

知道是否有任何解决方法可以安装 CA？

Answer 1

伟大的！我的问题是用这个代码解决的：

openssl pkcs12 -export -in test.crt -inkey test.key -out test-combined.p12

在此之后，我设法将 test-combined.p12 证书正常导入到我的Android 10。

谢谢！

Answer 2

以下是我如何从这个答案创建一个适用于 Android、iOS 和 Chrome 的自签名证书：

openssl 命令：

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "/C=US/ST=Oklahoma/L=Stillwater/O=My Company/OU=Engineering/CN=test.com" -keyout ca.key -out ca.crt
openssl genrsa -out "test.key" 2048
openssl req -new -key test.key -out test.csr -config openssl.cnf
openssl x509 -req -days 3650 -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -extfile openssl.cnf -out test.crt
openssl x509 -inform PEM -outform DER -in test.crt -out test.der.crt

openssl.cnf 的内容：

[req]
default_bits = 2048
encrypt_key  = no # Change to encrypt the private key using des3 or similar
default_md   = sha256
prompt       = no
utf8         = yes

# Specify the DN here so we aren't prompted (along with prompt = no above).

distinguished_name = req_distinguished_name

# Extensions for SAN IP and SAN DNS

req_extensions = v3_req

# Be sure to update the subject to match your organization.

[req_distinguished_name]
C  = US
ST = Oklahoma
L  = Stillwater
O  = My Company
OU = Engineering
CN = test.com

# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.

[v3_req]
basicConstraints     = CA:TRUE
subjectKeyIdentifier = hash
keyUsage             = digitalSignature, keyEncipherment
extendedKeyUsage     = clientAuth, serverAuth
subjectAltName       = @alt_names

# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.

[alt_names]
DNS.1 = test.com

创建证书后：

1. 将 test.crt（至少在我的情况下不是 ca.crt）安装到您的服务器并重新启动它。
2. 将 test.crt 通过电子邮件发送到您的 Gmail 帐户，然后在您的 Android 设备或模拟器中登录 Gmail 并点击以安装它。（它将出现在“设置”/“加密和凭据”/“受信任的凭据”下的“用户”选项卡中。）