keytool+tomcat7配置HTTPS双向证书认证
来源:互联网 发布:java写服务器端 编辑:程序博客网 时间:2024/05/18 00:56
系统需求:
JDK 1.7Tomcat 7
1、通过keytools生成serverkeystore
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore d:\server.keystore注意CN必须域名
比如以后通过https://localhost:8443/path/ 访问网站
这时候CN = localhost
2、导出x509证书
keytool -export -alias tomcat -file d:\server.cer -keystore d:\server.keystore.先导出一个x509证书
3、新建client信任的trustclientkeystore.
keytool -genkey -alias trust -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trust.keystore4、添加服务器端证书进入本地信任trustclientkeystore.
keytool -import -v -alias tomcat -file d:\server.cer -keystore d:\trust.keystore前面不变
5、通过keytools生成clientkeystore
keytool -genkey -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore d:\client.keystore6、导出x509证书
keytool -export -alias client -file d:\client.cer -keystore d:\client.keystore.7、新建server信任的trustserverkeystore.
keytool -genkey -alias trustserver -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trustserver.keystore8、添加本地证书进入服务器信任trustserverkeystore.
keytool -import -v -alias client -file d:\client.cer -keystore d:\trustserver.keystore到目前为止就有2个keystore 2个trustkeystore
9、tomcat 配置
打开Tomcat根目录下的/conf/server.xml,找到如下配置段,修改如下:<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="d:/server.keystore" keystorePass="changeit"truststoreFile="d:/trustserver.keystore" truststorePass="changeit"/>
10. Java 链接
import java.io.File;import java.io.FileInputStream;import java.security.KeyStore;import org.apache.http.HttpResponse;import org.apache.http.client.HttpClient;import org.apache.http.client.methods.HttpPost;import org.apache.http.conn.scheme.Scheme;import org.apache.http.conn.ssl.SSLSocketFactory;import org.apache.http.impl.client.DefaultHttpClient;public class Client {/** * @param args * @throws Exception */public static void main(String[] args) throws Exception {HttpClient httpclient = new DefaultHttpClient();KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());FileInputStream keyStoreIn = new FileInputStream(new File("d:/client.keystore"));FileInputStream trustStoreIn = new FileInputStream(new File("d:/trust.keystore"));try {keyStore.load(keyStoreIn, "123456".toCharArray());trustStore.load(trustStoreIn, "123456".toCharArray());} finally {keyStoreIn.close();trustStoreIn.close();}SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore, "123456", trustStore);httpclient.getConnectionManager().getSchemeRegistry().register(new Scheme("https",socketFactory, 8443));HttpPost httpget = new HttpPost("https://localhost:8443/SSOClient/login.html");System.out.println("Request:" + httpget.getRequestLine());HttpResponse response = httpclient.execute(httpget);System.out.println(response.getStatusLine());httpclient.getConnectionManager().shutdown();}}
11:IE连接
IE 导入client.cer 竟然无法链接,
经测试,IE只有导入PKCS12 类型keystore才能正常链接,而PKCS12类型keystore 在java中会包无效的格式,
所以如要IE登陆,需要创建PKCS12 C keystore然后在server端加入对C的信任,才能IE链接。即server信任了2个Cer,IE的和Java的
keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore custom.p12 -storepass changeit -validity 3650keytool -export -alias custom -file custom.cer -keystore d:\custom.p12 -storepass changeit -storetype PKCS12 -rfckeytool -import -v -alias custom -file custom.cer -keystore d:\trustserver.keystore -storepass changeit
错误解决:
严重: Failed to initialize end point associated with ProtocolHandler ["http-apr-443"]java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
方法:
在 Tomcat 中注释掉 下面的配置:
<ListenerclassName="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
重新启动 Tomcat ,8443已经能正常启动
参考文档
http://blog.chinaunix.net/uid-78707-id-372088.html
http://www.blogjava.net/stone2083/archive/2007/12/20/169015.html
完整命令如下:
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore d:\server.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"keytool -export -alias tomcat -file d:\server.cer -keystore d:\server.keystorekeytool -genkey -alias trust -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trust.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"keytool -import -v -alias tomcat -file d:\server.cer -keystore d:\trust.keystore keytool -genkey -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore d:\client.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"keytool -export -alias client -file d:\client.cer -keystore d:\client.keystorekeytool -genkey -alias trustserver -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trustserver.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"keytool -import -v -alias client -file d:\client.cer -keystore d:\trustserver.keystore keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore d:\custom.p12 -storepass changeit -validity 3650keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore custom.p12 -storepass changeit -validity 3650keytool -export -alias custom -file custom.cer -keystore d:\custom.p12 -storepass changeit -storetype PKCS12 -rfckeytool -import -v -alias custom -file custom.cer -keystore d:\trustserver.keystore -storepass changeit
- keytool+tomcat7配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置https双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- Tomcat7 配置Https双向证书认证
- keytool+tomcat配置HTTPS双向证书认证(无openssl)
- keytool+tomcat配置HTTPS双向证书认证(无openssl)
- Java keytool配置https双向认证
- 在s2sh+tomcat下的,keytool+tomcat配置HTTPS双向证书认证
- Tomcat服务器配置https双向认证(使用keytool生成证书)
- Tomcat服务器配置https双向认证(使用keytool生成证书)
- jeecms中的一些总结
- Qt5程序在Windows 7/8上部署注意事项
- oracle help报错SP2-0171: HELP system not available. 安装help
- select, iocp, epoll,kqueue及各种I/O复用机制
- 东软实训面试问题推荐2:如果我录用你,你将怎样开展工作?
- keytool+tomcat7配置HTTPS双向证书认证
- 拿来主义!最火的iOS开源项目(三)
- 程序猿自救指南之——如何拯救你的颈椎
- java开发_模仿百度文库_SWFTools_源码下载
- 收藏两个网站:Doc2Pdf、Pdf2Doc,都是在线处理
- sql server 2005安装图解
- chrome源码
- mac os 搭建golang与使用eclipse插件开发golang
- 认识django2.0读书笔记(4)---第四章模板