一、準備環境
搭建平臺:linux+apache-tomcat-7.0.35.tar.gz
二、生成CA證書
創建目錄:
#mkdir ca client server
目前不使用第三方權威機構的CA來認證,自己充當CA的角色。
2.1 創建私鑰
#openssl genrsa -out ca/ca-key.pem 1024
2.2 創建證書請求
#openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:ca
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
2.3 自簽署證書
#openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
2.4 將證書導出成瀏覽器支持的.p12格式
#openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
密碼:123456
三、生成server證書
3.1 創建私鑰
#openssl genrsa -out server/server-key.pem 1024
3.2 創建證書請求
#openssl req -new -out server/server-req.csr -key server/server-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:localhost #此處一定要寫服務器所在ip
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.3 自簽署證書
#openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
3.4 將證書導出成瀏覽器支持的.p12格式
#openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
密碼:123456
四、生成client證書
4.1 創建私鑰
#openssl genrsa -out client/client-key.pem 1024
4.2 創建證書請求
#openssl req -new -out client/client-req.csr -key client/client-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:dong
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4.3 自簽署證書
#openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
4.4將證書導出成瀏覽器支持的.p12格式
#openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
密碼:123456
4.5 根據ca證書生成jks文件 (java keystore)
#keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file ca/ca-cert.pem
#keytool -import -keystore truststore.jks -keypass 222222 -storepass 222222 -alias client -import -trustcacerts -file client/client-cert.pem ------導入client證書,讓服務器信任client證書
#keytool -list -v -keystore truststore.jks --查看keystore,密碼:222222
五、配置tomcat ssl
修改conf/server.xml。tomcat中多了SSLEnabled="true"屬性。keystorefile, truststorefile設置爲你正確的相關路徑
xml 代碼
修改如下:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/root/ca/server/server.p12" keystorePass="123456" keystoreType="PKCS12"
truststoreFile="/root/ca/truststore.jks" truststorePass="222222" truststoreType="JKS"/>
屬性說明:
clientAuth:設置是否雙向驗證,默認爲false,設置爲true代表雙向驗證
keystoreFile:服務器證書文件路徑
keystorePass:服務器證書密碼
truststoreFile:用來驗證客戶端證書的根證書,此例中就是ca證書
truststorePass:根證書密碼
六、客戶端驗證
啓動tomcat服務,客戶端導入client.p12證書,然後訪問https://ip:8443