keytool+tomcat7配置HTTPS双向证书认证

系统需求：

JDK 1.7
Tomcat 7

1、通过keytools生成serverkeystore 

keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore d:\server.keystore 
注意CN必须域名 
比如以后通过https://localhost:8443/path/ 访问网站 
这时候CN = localhost 

2、导出x509证书 

keytool -export -alias tomcat -file d:\server.cer -keystore d:\server.keystore. 
先导出一个x509证书 

3、新建client信任的trustclientkeystore. 

keytool -genkey -alias trust -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trust.keystore 

4、添加服务器端证书进入本地信任trustclientkeystore. 

keytool -import -v -alias tomcat -file d:\server.cer -keystore d:\trust.keystore 
前面不变 

5、通过keytools生成clientkeystore 

keytool -genkey -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore d:\client.keystore 

6、导出x509证书 

keytool -export -alias client -file d:\client.cer -keystore d:\client.keystore. 

7、新建server信任的trustserverkeystore. 

keytool -genkey -alias trustserver -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trustserver.keystore 

8、添加本地证书进入服务器信任trustserverkeystore. 

keytool -import -v -alias client -file d:\client.cer -keystore d:\trustserver.keystore 
到目前为止就有2个keystore 2个trustkeystore 

9、tomcat 配置 

打开Tomcat根目录下的/conf/server.xml，找到如下配置段，修改如下：

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  maxThreads="150" scheme="https" secure="true"  clientAuth="true" sslProtocol="TLS"  keystoreFile="d:/server.keystore"  keystorePass="changeit"truststoreFile="d:/trustserver.keystore" truststorePass="changeit"/> 

10. Java 链接 

import java.io.File;import java.io.FileInputStream;import java.security.KeyStore;import org.apache.http.HttpResponse;import org.apache.http.client.HttpClient;import org.apache.http.client.methods.HttpPost;import org.apache.http.conn.scheme.Scheme;import org.apache.http.conn.ssl.SSLSocketFactory;import org.apache.http.impl.client.DefaultHttpClient;public class Client {/** * @param args * @throws Exception */public static void main(String[] args) throws Exception {HttpClient httpclient = new DefaultHttpClient();KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());FileInputStream keyStoreIn = new FileInputStream(new File("d:/client.keystore"));FileInputStream trustStoreIn = new FileInputStream(new File("d:/trust.keystore"));try {keyStore.load(keyStoreIn, "123456".toCharArray());trustStore.load(trustStoreIn, "123456".toCharArray());} finally {keyStoreIn.close();trustStoreIn.close();}SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore, "123456", trustStore);httpclient.getConnectionManager().getSchemeRegistry().register(new Scheme("https",socketFactory, 8443));HttpPost httpget = new HttpPost("https://localhost:8443/SSOClient/login.html");System.out.println("Request:" + httpget.getRequestLine());HttpResponse response = httpclient.execute(httpget);System.out.println(response.getStatusLine());httpclient.getConnectionManager().shutdown();}}

11：IE连接 

IE 导入client.cer 竟然无法链接，

    经测试，IE只有导入PKCS12 类型keystore才能正常链接，而PKCS12类型keystore 在java中会包无效的格式，

所以如要IE登陆，需要创建PKCS12 C keystore然后在server端加入对C的信任，才能IE链接。即server信任了2个Cer，IE的和Java的

keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore custom.p12 -storepass changeit -validity 3650keytool -export -alias custom -file custom.cer -keystore d:\custom.p12 -storepass changeit -storetype PKCS12 -rfckeytool -import -v -alias custom -file custom.cer -keystore d:\trustserver.keystore -storepass changeit 

错误解决：

严重: Failed to initialize end point associated with ProtocolHandler ["http-apr-443"]
java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
 方法：
在 Tomcat 中注释掉 下面的配置：
<ListenerclassName="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
重新启动 Tomcat ，8443已经能正常启动

参考文档

http://blog.chinaunix.net/uid-78707-id-372088.html

http://www.blogjava.net/stone2083/archive/2007/12/20/169015.html

完整命令如下：

keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore d:\server.keystore  -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"keytool -export -alias tomcat -file d:\server.cer -keystore d:\server.keystorekeytool -genkey -alias trust -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trust.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"keytool -import -v -alias tomcat -file d:\server.cer -keystore d:\trust.keystore keytool -genkey -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore d:\client.keystore  -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"keytool -export -alias client -file d:\client.cer -keystore d:\client.keystorekeytool -genkey -alias trustserver -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trustserver.keystore  -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"keytool -import -v -alias client -file d:\client.cer -keystore d:\trustserver.keystore keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore d:\custom.p12 -storepass changeit -validity 3650keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore custom.p12 -storepass changeit -validity 3650keytool -export -alias custom -file custom.cer -keystore d:\custom.p12 -storepass changeit -storetype PKCS12 -rfckeytool -import -v -alias custom -file custom.cer -keystore d:\trustserver.keystore -storepass changeit