7

I'm generating a SSL KeyPair in an Android app using the KeyStore API. I want to create a Certificate Signing Request (CSR) from the Public/Private key pair so that it can be sent to an external CA for signing.

Is this possible? I'd like to use the builtin Android libraries rather than BouncyCastle if possible, in order to have Android store the keys securely.

Josh Correia
  • 3,807
  • 3
  • 33
  • 50
Phil
  • 2,239
  • 3
  • 25
  • 26
  • have you found a solution using BouncyCaslte (without SpongyCastle)? – BekaBot Jan 23 '17 at 05:04
  • Yes, it is possible to use BouncyCastle and java.security.KeyStore together. I had to create the key pair using the Android libraries, then manually build the certificate structure in BouncyCastle. The resulting CSR could be exported and externally signed then the certificate imported back to the Android KeyStore using keyStore.setCertificateEntry() – Phil Jan 23 '17 at 14:22
  • I am able to construct CSR using SpongyCastle, but I need it to be done without SC library. Can you please share how to build CSR using BouncyCastle? Or how can I contact you with email, if possible? – BekaBot Jan 24 '17 at 08:15
  • 1
    Does this answer your question? [What is the certificate enrollment process?](https://stackoverflow.com/questions/37850134/what-is-the-certificate-enrollment-process) – Ryan M Jul 02 '20 at 00:50
  • 1
    Does this answer your question? [What is the best way to generate Certificate Signing Request using AndroidKeyStoreProvider?](https://stackoverflow.com/questions/25907326/what-is-the-best-way-to-generate-certificate-signing-request-using-androidkeysto) – Josh Correia Jul 27 '20 at 19:25

3 Answers3

2

Certificate enrollment process

Check this link. It generate key pair and CSR. Regarding generating a CSR (certificate sign request) on the android phone, I think it is rather straightforward to use Spongycastle instead. It is an android port of Bouncycastle.

Community
  • 1
  • 1
Dante
  • 221
  • 1
  • 3
  • 14
  • Well, I'm also looking for the creation CSR on android. Could you give me the example or link to refer? – ThanhLam112358 Jul 18 '17 at 09:51
  • 2
    The post you linked to doesn't mention how to use the Android `KeyStore` API at all and instead generates the keys in memory, which is insecure in comparison to the `KeyStore`. – Josh Correia Jul 29 '20 at 19:26
  • Hi @JoshCorreia, Have you found any solution to generate CSR using KeyStore – Jarvis Feb 26 '22 at 20:50
0

You can use the Bouncy Castle to work with the keys from Android KeyStore. This doesn’t mean that you have to set the Bouncy Castle as a security provider. It is enough to include the library:

implementation 'org.bouncycastle:bcpkix-jdk18on:1.72'

Note: Spongy Castle is obsolete. Standard Bouncy Castle library has to be included in your Android application. For details on why see: https://github.com/rtyley/spongycastle/issues/34

val keyPairGenerator: KeyPairGenerator = KeyPairGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_EC,
    "AndroidKeyStore"
)
val keySpecBuilder = KeyGenParameterSpec.Builder(
    Constants.clientCertificateKeyAlias,
    KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY
).setDigests(KeyProperties.DIGEST_NONE, KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
keyPairGenerator.initialize(keySpecBuilder.build())
val pair = keyPairGenerator.generateKeyPair()

val p10Builder: PKCS10CertificationRequestBuilder = JcaPKCS10CertificationRequestBuilder(
    X500Principal("CN=My Client Certificate"), pair.public
)
val csBuilder = JcaContentSignerBuilder("SHA256withECDSA")
val signer: ContentSigner = csBuilder.build(pair.private)
val csr: PKCS10CertificationRequest = p10Builder.build(signer)

val pemObject = PemObject("CERTIFICATE REQUEST", csr.encoded)
val csrAsString = csrAsStringingWriter()
val pemWriter = PEMWriter(csrAsString)
pemWriter.writeObject(pemObject)
pemWriter.close()
csrAsString.close()
Log.v("CSR", "CSR: $csrAsString")
Oleksiy Pavlenko
  • 51
  • 3
-1

Since Android apps are built with Java, you can use the Java keytool tool to generate a CSR: Request a Signed Certificate from a CA.

Steve J
  • 667
  • 6
  • 10