http://code.google.com/intl/ru/apis/gdata/docs/auth/authsub.html
The private key is used to generate a signature, which must be included with each request. The public key embedded in the certificate is used by Google to verify the signature. The public key must be a 1024-bit RSA key encoded in an X.509 certificate in PEM format. The certificate should be sent to Google at time of registration.
The following sections provide examples of how to generate keys and certificates using two particular tools: the OpenSSL utility and Java's keytool utility.
These examples are not specific to the Google Data APIs; you can use the same utilities to generate keys for any purpose.
The examples assume that your company is named My_Company, and is located in Mountain View, California, US, with domain name example.com.
Generating keys using OpenSSL
To create a pair of RSA keys and the corresponding certificate, you could use the following command:
# Generate the RSA keys and certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -sha1 -subj \
'/C=US/ST=CA/L=Mountain View/CN=www.example.com' -keyout \
myrsakey.pem -out /tmp/myrsacert.pem
Warning: Including the -nodes parameter creates a private key without a password to protect it. However, you should consider omitting this parameter for added security.
The -sha1 parameter specifies that the key will be used to generate SHA1 signatures.
The -subj parameter specifies the identity of the application that the certificate represents.
The -keyout parameter specifies the file that will contain the keys. This file contains sensitive information and should be protected and not shared with anyone.
The -out parameter specifies the file that will contain the certificate in PEM format (which can be sent to Google while registering).
Generating keys for the .NET client
The .NET framework doesn't understand keys or certificates stored in the PEM format. Therefore, an additional step is needed once you have created the .pem file:
openssl pkcs12 -export -in test_cert.pem -inkey myrsacert.pem -out myrsacert.pfx -name "Testing Certificate"
This step generates a PFX file from your private key and certificate. This file can be imported into the .NET client library to digitally sign requests made to the Google Data APIs.
Generating keys for the Java client
The Java client accepts private keys in the PKCS#8 format. After generating a key/cert using the directions above, create a .pk8 file from your generated .pem file:
openssl pkcs8 -in myrsakey.pem -topk8 -nocrypt -out myrsakey.pk8
Alternatively, you can use the Java key store and the keytool utility to create a pair of RSA keys and the corresponding certificate. Use the following command:
# Generate the RSA keys and certificate
keytool -genkey -v -alias Example -keystore ./Example.jks\
-keyalg RSA -sigalg SHA1withRSA\
-dname "CN=www.example.com, OU=Engineering, O=My_Company, L=Mountain View, ST=CA, C=US"\
-storepass changeme -keypass changeme
Warning: "changeme" is not a good password; this is just an example.
The -dname parameter specifies the identity of the application that the certificate represents. The -storepass parameter specifies the password to protect the keystore. The -keypass parameter specifies the password to protect the private key.
To write the certificate to a file that can be used in the ManageDomains tool, use the following command:
# Output the public certificate to a file
keytool -export -rfc -keystore ./Example.jks -storepass changeme \
-alias Example -file mycert.pem
Комментариев нет:
Отправить комментарий