1.建立CA工作目錄
mkdir ca
cd ca
2.生成CA私鑰
openssl genrsa -out ca-key.pem 1024
3.生成待簽名證書
openssl req -new -out ca-req.csr -key ca-key.pem
//ca-cert.pem即爲CA根證書,可將其下發到客戶端,導入作爲根證書。私鑰changeit
4.用CA私鑰自簽名
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 365
5.導出pk12
openssl pkcs12 -export -clcerts -in ca-cert.pem -inkey ca-key.pem -out ca-cert.p12
查看證書
openssl x509 -in ca-cert.pem -noout -text -modulus
如果按請求生成CA證書,由證書申請者生成請求文件certreq.txt。CA端執行簽名,生成證書文件1.cer
openssl x509 -req -in c:\certreq.txt -out c:\1.cer -CA ca\ca-cert.pem -CAkey ca\ca-key.pem -days 365 -CAcreateserial
生成server證書
1.創建私鑰
openssl genrsa -out server-key.pem 1024
2.創建證書請求
openssl req -new -out server-req.csr -key server-key.pem
3.自簽署證書
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -CAcreateserial -days 365
4.將證書導出成瀏覽器支持的.p12格式,密碼changeit
openssl pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12
keytool -keystore serverstore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file ~/ca/ca-cert.pem
keytool -keystore serverstore.jks -keypass 123456 -storepass 123456 -alias server -import -trustcacerts -file ~/server/server-cert.pem
生成client證書
1.創建私鑰 :
openssl genrsa -out client-key.pem 1024
2.創建證書請求 :
openssl req -new -out client-req.csr -key client-key.pem
3.自簽署證書 :
openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -CAcreateserial -days 36
openssl x509 -in client-cert.pem -noout -text -modulus
4.將證書導出成瀏覽器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in client-cert.pem -inkey client-key.pem -out client.p12
密碼:changeit
根據ca證書生成jks文件
keytool -keystore truststore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file ~/ca/ca-cert.pem
導入證書
在客戶端瀏覽器導入ca-cert.p12作爲受信任的根證書,client.p12作爲個人證書
Tomcat配置
server.xml
jsse模式
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="../conf/ssl/server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="../conf/ssl/truststore.jks" truststorePass="123456" truststoreType="JKS"/>
apr模式
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true"
SSLEnabled="true"
SSLProtocol="all"
SSLCipherSuite="ALL"
SSLCertificateFile="../conf/ssl/server-cert.pem"
SSLCertificateKeyFile="../conf/ssl/server-key.pem"
SSLCACertificateFile="../conf/ssl/ca-cert.pem"
SSLCACertificatePath="../conf/ssl"
SSLVerifyDepth="15"
SSLVerifyClient="require" />
注意事項
IE8支持SSLv3,TLS, 不支持SSLv2
參考
apache tomcat doc
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL Support
雙向ssl-apr
http://618119.com/archives/2007/10/23/13.html
雙向ssl-jsse
http://www.51testing.com/?uid-257506-action-viewspace-itemid-155641
http://wenku.baidu.com/view/7f3c491f650e52ea5518987b.html
openssl
http://blog.csdn.net/gloomuu/archive/2009/08/17/4456501.aspx
http://dddspace.com/2009/03/using-openssl-to-generate-certificates.html
http://hi.baidu.com/kobetec/blog/item/706fc0440ff3b44a510ffe0b.html