我读过这篇文章https://developer.android.com/training/articles/keystore.html.

密钥对生成很好.
但是,它没有告诉如何基于生成密钥生成证书签名请求.

从我的研究来看,在java中生成CSR,来自web的样本通常使用sun sun.*或BouncyCastle库.好像没有办法用标准的java.sercurity API生成CSR.我读了这篇Possible to generate CSR using java.security without sun packages or external library?.似乎是真的.

除了使用BouncyCastle,我别无选择吗？很难想象Android开发者不会考虑这种用法.

顺便说一下,文章还提到：

Generating a new PrivateKey requires that you also 
specify the initial X.509 attributes that the self-signed certificate 
will have. You can replace the certificate at a later time with a certificate 
signed by a Certificate Authority

假设我最终获得证书颁发机构签署的证书.我该怎么做才能“以后更换证书”？

解决方法:

关于在Android手机上生成CSR(证书签名请求),我认为使用Spongycastle相当简单.它是Bouncycastle的Android端口.

Suppose I finally get certificate signed by a Certificate Authority.
What exactly should I do to “replace the certificate at a later time”?

一旦您拥有了应该从CA(证书颁发机构)获得的实际签名证书,您就不再需要您的CSR;您应该只将已签名的证书存储在手机上.在哪里保存它们 – 我想你可以得到帮助here.