tomcat配置双向证书
来源:互联网 发布:单片机红外线发射 编辑:程序博客网 时间:2024/05/20 15:57
1.建立CA工作目录 :mkdir ca
cd ca
2.生成CA私钥 :openssl genrsa -out ca-key.pem 1024
D:\>openssl req -new -out demoCA\ca-req.csr -key demoCA\ca-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:gd
Locality Name (eg, city) []:gz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sinobest
Organizational Unit Name (eg, section) []:sinobest
Common Name (e.g. server FQDN or YOUR name) []:songbo
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
3.生成待签名证书 :openssl req -new -out ca-req.csr -key ca-key.pem
//ca-cert.pem即为CA根证书,可将其下发到客户端,导入作为根证书。私钥changeit
4.用CA私钥自签名 :openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 365
Signature ok
subject=C = cn, ST = gd, L = gz, O = sinobest, OU = sinobest, CN = songbo
Getting Private key
5.导出pk12
openssl pkcs12 -export -clcerts -in ca-cert.pem -inkey ca-key.pem -out ca-cert.p12
查看证书 :openssl x509 -in ca-cert.pem -noout -text -modulus
unknown option -cert.pem
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg - output format - default PEM (one of DER, NET or PEM)
-keyform arg - private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg - output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-subject_hash - print subject hash value
-subject_hash_old - print old-style (MD5) subject hash value
-issuer_hash - print issuer hash value
-issuer_hash_old - print old-style (MD5) issuer hash value
-hash - synonym for -subject_hash
-subject - print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate - notAfter field
-purpose - print out certificate purposes
-dates - both Before and After dates
-modulus - print the RSA key modulus
-pubkey - output the public key
-fingerprint - print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and public key
-ocsp_uri - print OCSP Responder URL(s)
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30 days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg - self sign cert with arg
-x509toreq - output a certification request object
-req - input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-<dgst> - digest to use, see openssl dgst -h output for list
-extfile - configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg - various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg - various certificate text options
-checkhost host - check certificate matches "host"
-checkemail email - check certificate matches "email"
-checkip ipaddr - check certificate matches "ipaddr"
如果按请求生成CA证书,由证书申请者生成请求文件certreq.txt。CA端执行签名,生成证书文件1.cer
openssl x509 -req -in c:\certreq.txt -out c:\1.cer -CA ca\ca-cert.pem -CAkey ca\ca-key.pem -days 365 -CAcreateserial
生成server证书
1.创建私钥
openssl genrsa -out server-key.pem 1024
2.创建证书请求
openssl req -new -out server-req.csr -key server-key.pem
3.自签署证书
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -CAcreateserial -days 365
4.将证书导出成浏览器支持的.p12格式,密码changeit
openssl pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12
keytool -keystore serverstore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file ~/ca/ca-cert.pem
keytool -keystore serverstore.jks -keypass 123456 -storepass 123456 -alias server -import -trustcacerts -file ~/server/server-cert.pem
生成client证书
1.创建私钥 :
openssl genrsa -out client-key.pem 1024
2.创建证书请求 :
openssl req -new -out client-req.csr -key client-key.pem
3.自签署证书 :
openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -CAcreateserial -days 36
openssl x509 -in client-cert.pem -noout -text -modulus
4.将证书导出成浏览器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in client-cert.pem -inkey client-key.pem -out client.p12
密码:changeit
根据ca证书生成jks文件
keytool -keystore truststore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file ~/ca/ca-cert.pem
导入证书
在客户端浏览器导入ca-cert.p12作为受信任的根证书,client.p12作为个人证书
Tomcat配置
server.xml
jsse模式
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="../conf/ssl/server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="../conf/ssl/truststore.jks" truststorePass="123456" truststoreType="JKS"/>
apr模式
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true"
SSLEnabled="true"
SSLProtocol="all"
SSLCipherSuite="ALL"
SSLCertificateFile="../conf/ssl/server-cert.pem"
SSLCertificateKeyFile="../conf/ssl/server-key.pem"
SSLCACertificateFile="../conf/ssl/ca-cert.pem"
SSLCACertificatePath="../conf/ssl"
SSLVerifyDepth="15"
SSLVerifyClient="require" />
注意事项
IE8支持SSLv3,TLS, 不支持SSLv2
参考
apache tomcat doc
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL Support
双向ssl-apr
http://618119.com/archives/2007/10/23/13.html
双向ssl-jsse
http://www.51testing.com/?uid-257506-action-viewspace-itemid-155641
http://wenku.baidu.com/view/7f3c491f650e52ea5518987b.html
openssl
http://blog.csdn.net/gloomuu/archive/2009/08/17/4456501.aspx
http://dddspace.com/2009/03/using-openssl-to-generate-certificates.html
http://hi.baidu.com/kobetec/blog/item/706fc0440ff3b44a510ffe0b.html
- Tomcat 双向证书配置
- tomcat配置双向证书
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置https双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- tomcat 配置SSL双向验证证书
- keytool+tomcat配置HTTPS双向证书认证(无openssl)
- keytool+tomcat配置HTTPS双向证书认证(无openssl)
- TOMCAT使用CA签发证书配置单向和双向SSL
- 用keytool 生成证书配置tomcat ssl双向认证
- TOMCAT使用CA签发证书配置单向和双向SSL
- idea jetty插件启动服务后,修改代码报“请求的操作无法在使用用户映射区域打开的文件执行”
- 把一个数组拆分成元素为数组的数组(猴子吃香蕉)
- Myeclipse+TestNG白盒测试环境搭建
- 关于视频播放横竖屏切换不再重复oncreat函数
- MongoDB Plugin(十一)
- tomcat配置双向证书
- 学会接纳现实
- Qt之QProcess(二)调用外部程序
- 阿里云DataHub基本了解
- 学习head first 设计模式之装饰者模式
- C语言面试题---指针篇(三)
- 深入理解Java对象的创建过程:类的初始化与实例化
- toolbar 设置、颜色、popupwindow弹出位置
- 23种设计模式——代理模式