tomcat配置双向证书

根证书
1.建立CA工作目录 :mkdir ca
cd ca

2.生成CA私钥 :openssl genrsa -out ca-key.pem 1024

D:\>openssl req -new -out demoCA\ca-req.csr -key demoCA\ca-key.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:gd

Locality Name (eg, city) []:gz

Organization Name (eg, company) [Internet Widgits Pty Ltd]:sinobest

Organizational Unit Name (eg, section) []:sinobest

Common Name (e.g. server FQDN or YOUR name) []:songbo

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:

3.生成待签名证书 :openssl req -new -out ca-req.csr -key ca-key.pem
//ca-cert.pem即为CA根证书，可将其下发到客户端，导入作为根证书。私钥changeit

4.用CA私钥自签名 :openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 365

Signature ok

subject=C = cn, ST = gd, L = gz, O = sinobest, OU = sinobest, CN = songbo

Getting Private key

5.导出pk12
openssl pkcs12 -export -clcerts -in ca-cert.pem -inkey ca-key.pem -out ca-cert.p12

查看证书 :openssl x509 -in ca-cert.pem -noout -text -modulus

unknown option -cert.pem
usage: x509 args
 -inform arg     - input format - default PEM (one of DER, NET or PEM)
 -outform arg    - output format - default PEM (one of DER, NET or PEM)
 -keyform arg    - private key format - default PEM
 -CAform arg     - CA format - default PEM
 -CAkeyform arg  - CA key format - default PEM
 -in arg         - input file - default stdin
 -out arg        - output file - default stdout
 -passin arg     - private key password source
 -serial         - print serial number value
 -subject_hash   - print subject hash value
 -subject_hash_old   - print old-style (MD5) subject hash value
 -issuer_hash    - print issuer hash value
 -issuer_hash_old    - print old-style (MD5) issuer hash value
 -hash           - synonym for -subject_hash
 -subject        - print subject DN
 -issuer         - print issuer DN
 -email          - print email address(es)
 -startdate      - notBefore field
 -enddate        - notAfter field
 -purpose        - print out certificate purposes
 -dates          - both Before and After dates
 -modulus        - print the RSA key modulus
 -pubkey         - output the public key
 -fingerprint    - print the certificate fingerprint
 -alias          - output certificate alias
 -noout          - no certificate output
 -ocspid         - print OCSP hash values for the subject name and public key
 -ocsp_uri       - print OCSP Responder URL(s)
 -trustout       - output a "trusted" certificate
 -clrtrust       - clear all trusted purposes
 -clrreject      - clear all rejected purposes
 -addtrust arg   - trust certificate for a given purpose
 -addreject arg  - reject certificate for a given purpose
 -setalias arg   - set certificate alias
 -days arg       - How long till expiry of a signed certificate - def 30 days
 -checkend arg   - check whether the cert expires in the next arg seconds
                   exit 1 if so, 0 if not
 -signkey arg    - self sign cert with arg
 -x509toreq      - output a certification request object
 -req            - input is a certificate request, sign and output.
 -CA arg         - set the CA certificate, must be PEM format.
 -CAkey arg      - set the CA key, must be PEM format
                   missing, it is assumed to be in the CA file.
 -CAcreateserial - create serial number file if it does not exist
 -CAserial arg   - serial file
 -set_serial     - serial number to use
 -text           - print the certificate in text form
 -C              - print out C code forms
 -<dgst>         - digest to use, see openssl dgst -h output for list
 -extfile        - configuration file with X509V3 extensions to add
 -extensions     - section from config file with X509V3 extensions to add
 -clrext         - delete extensions before signing and input certificate
 -nameopt arg    - various certificate name options
 -engine e       - use engine e, possibly a hardware device.
 -certopt arg    - various certificate text options
 -checkhost host - check certificate matches "host"
 -checkemail email - check certificate matches "email"
 -checkip ipaddr - check certificate matches "ipaddr"

如果按请求生成CA证书，由证书申请者生成请求文件certreq.txt。CA端执行签名，生成证书文件1.cer
openssl x509 -req -in c:\certreq.txt -out c:\1.cer -CA ca\ca-cert.pem -CAkey ca\ca-key.pem -days 365 -CAcreateserial

生成server证书
1.创建私钥
openssl genrsa -out server-key.pem 1024


2.创建证书请求
openssl req -new -out server-req.csr -key server-key.pem


3.自签署证书
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -CAcreateserial -days 365


4.将证书导出成浏览器支持的.p12格式,密码changeit
openssl pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12


keytool -keystore serverstore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file ~/ca/ca-cert.pem  
keytool -keystore serverstore.jks -keypass 123456 -storepass 123456 -alias server -import -trustcacerts -file ~/server/server-cert.pem






生成client证书
1.创建私钥 ：
openssl genrsa -out client-key.pem 1024


2.创建证书请求 ：
openssl req -new -out client-req.csr -key client-key.pem


3.自签署证书 ：
openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -CAcreateserial -days 36


 openssl x509 -in client-cert.pem -noout -text -modulus


4.将证书导出成浏览器支持的.p12格式 ：
openssl pkcs12 -export -clcerts -in client-cert.pem -inkey client-key.pem -out client.p12
密码：changeit




根据ca证书生成jks文件
keytool -keystore truststore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file ~/ca/ca-cert.pem




导入证书
在客户端浏览器导入ca-cert.p12作为受信任的根证书，client.p12作为个人证书




Tomcat配置
server.xml
jsse模式
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
               keystoreFile="../conf/ssl/server.p12" keystorePass="changeit" keystoreType="PKCS12"
               truststoreFile="../conf/ssl/truststore.jks" truststorePass="123456" truststoreType="JKS"/>        
   
 
apr模式
   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="true"
               SSLEnabled="true"
               SSLProtocol="all"
               SSLCipherSuite="ALL"
               SSLCertificateFile="../conf/ssl/server-cert.pem"
               SSLCertificateKeyFile="../conf/ssl/server-key.pem"
               SSLCACertificateFile="../conf/ssl/ca-cert.pem"
               SSLCACertificatePath="../conf/ssl"
               SSLVerifyDepth="15"
               SSLVerifyClient="require" />


注意事项
IE8支持SSLv3,TLS, 不支持SSLv2


参考
apache tomcat doc
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html 
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL Support 
 双向ssl-apr
http://618119.com/archives/2007/10/23/13.html          
 双向ssl-jsse
http://www.51testing.com/?uid-257506-action-viewspace-itemid-155641 
http://wenku.baidu.com/view/7f3c491f650e52ea5518987b.html  
 openssl
http://blog.csdn.net/gloomuu/archive/2009/08/17/4456501.aspx   
http://dddspace.com/2009/03/using-openssl-to-generate-certificates.html
http://hi.baidu.com/kobetec/blog/item/706fc0440ff3b44a510ffe0b.html