首页 诗词 字典 板报 句子 名言 友答 励志 学校 网站地图
当前位置: 首页 > 教程频道 > 其他教程 > 开源软件 >

Tomcat 七 配置 SSL

2012-07-15 
Tomcat 7 配置 SSL.?Tomcat 配置 SSL?说明:配置的是Tomcat 7 的JSSE? Connector,对于配置APR请继续Google.

Tomcat 7 配置 SSL.

?Tomcat 配置 SSL

?

说明:

配置的是Tomcat 7 的JSSE? Connector,对于配置APR请继续Google.

?

配置流程:

一.Tomcat 服务端SSL认证配置.

1.配置一个CA证书(如果直接使用授权认证机构本步骤可以跳过)

? ?1.)生成CA私有密钥 ?(红色标记为CA 私有密钥的验证密码下面很多地方会用到)

?

openssl genrsa -des3 -out private/ca.key 1024

?

? ? ? ?Generating RSA private key, 1024bit long modulus

? ? ...............................++++++......++++++e is 65537 (0x10001)

? ? ? ?Enter pass phrase for private/ca.key:123456?

? ? ? ?Verifying - Enter pass phrase for private/ca.key:123456

?

? ? 2.)生成CA证书 (ca.key 的密码为上一步骤输入的密码)

生成的ca.crt 就是 CA的认证证书,可以导入到浏览器的受信任机构中区.而那些由这个CA证书签名的

? ? ? ? 的客户端证书就可以被浏览器认证通过.

?openssl req -new -x509 -key private/ca.key -out public/ca.crt -days 3650

?

? ? ? ? Enter pass phrase for private/ca.key:123456

? ? ? ? You are about to be asked to enter information that will be incorporated

? ? ? ? ?into your certificate request.

? ? ? ? What you are about to enter is what is called a Distinguished Name or a DN.

? ? ? ? There are quite a few fields but you can leave some blank

? ? ? ? ?For some fields there will be a default value,

? ? ? ? ?If you enter '.', the field will be left blank.

? ? ? ? ?-----

? ? ? ? ?Country Name (2 letter code) [AU]:CN

? ? ? ? ? State or Province Name (full name) [Some-State]:ZJ

? ? ? ? ?Locality Name (eg, city) []:HZ

? ? ? ? ?Organization Name (eg, company) [Internet Widgits Pty Ltd]:orgnation

? ? ? ? ?Organizational Unit Name (eg, section) []:orgnation

? ? ? ? ?Common Name (e.g. server FQDN or YOUR name) []:orgnation

? ? ? ? ?Email Address []:xxx@mail.com

?

2. ?使用CA证书签名服务端证书

? ?1.)生成服务端私钥

?

 openssl genrsa -des3 -out private/server.key
?

?

1024Generating RSA private key, 1024 bit long modulus

......................................................++++++.....++++++e is 65537 (0x10001)

Enter pass phrase for private/server.key:s123456

Verifying - Enter pass phrase for private/server.key:s123456

?

? ?2.)创建服务端证书签名请求

Common Name 配置很重要,可以配置tomcat 所在服务器的IP地址或域名.

如果是本地测试的话可以配置localhost.

 openssl req -new -key private/server.key -out server.csr

?

Enter pass phrase for private/server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:ZJ

Locality Name (eg, city) []:HZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX

Organizational Unit Name (eg, section) []:Development

Common Name (e.g. server FQDN or YOUR name) []:xxx.xxx.xxx.xxx (这里很重要重要)

Email Address []:xxxx@mail.com

?

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:csr123456

An optional company name []:xxx

? 3.) 使用 CA证书和CA私钥给服务端证书请求签名

? ? ? ?生成的server.crt 为服务端证书.

openssl x509 -req -days 360 -in server.csr -CA public/ca.crt -CAkey private/ca.key -CAcreateserial -out public/server.crt

?

Signature ok

subject=/C=CN/ST=ZJ/L=HZ/O=XXX/OU=Development/CN=xxx.xxx.xxx.xxx?/emailAddress=xxxx@mail.com

Getting CA Private Key

Enter pass phrase for 123456

? ? ? ? private/ca.key:123456

?

? 4.)把服务端代码转换浏览器可以识别的PCS12 格式

? ? 服务端证书密码暂时无用.

?

$ openssl pkcs12 -export -in public/server.crt -inkey private/server.key -out server.p12

?

?

? ? ?Enter pass phrase for private/server.key:s123456

? ? ?Enter Export Password: e123456

? ? ?Verifying - Enter Export Password:e123456

?

?5.)生成信任库中

? ?使用jetty 中的PKCS12Import 工具类完成转换.(jetty-5.1.10.jar 可在附件中下载)

?

?

java -cp jetty-5.1.10.jar org.mortbay.util.PKCS12Import server.p12  server.jks
? ??

?

? ? Enter input keystore passphrase: e123456

? ? Enter output keystore passphrase: e123456

? ? Alias 0: 1

? ? Adding key for alias 1

?

? 6.)使用下面命令查看jks文件中包含的证书信息.

?

keytool -v -list -keystore server.jks
?

?

? 7.)配置Tomcat SSL Connector.

? ? 在server.xml文件中配置下面内容

?

<Connector port="8443" protocol="HTTP/1.1"  SSLEnabled="true"               maxThreads="150" scheme="https" secure="true"               clientAuth="false"    keystoreFile="F:/temps/ca3/server.jks"   keystorePass="e123456"    sslProtocol="TLS" />
?

?8.)导入CA 证书(ca.crt)到客户端浏览器的受信任认证机构的证书列表中

?9.)使用客户端浏览器访问: https://xxx.xxx.xxx.xxx:8443 .访问成功的话表示服务端SSL配置成功.

?

二 配置客户端证书实现客户端和服务端双向认证

1.?创建private key 和证书签名请求

?

$ openssl req -new -newkey rsa:1024 -nodes -out client/client.req -keyout

?

Generating a 1024 bit RSA private key

.................++++++

................................................++++++

writing new private key to 'client/client.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:ZJ

Locality Name (eg, city) []:HZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXX

Organizational Unit Name (eg, section) []:XXXX

Common Name (e.g. server FQDN or YOUR name) []:XXXXX

Email Address []:xxxx@mail.com

?

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:c123456

An optional company name []:XXX

?

2.使用CA证书签名客户端证书签名请求.

?

$ openssl x509 -CA public/ca.crt -CAkey private/ca.key -CAserial public/ca.srl -req -in client/client.req  -out client/client.pem -days 365
?

?

?

? Signature ok

? subject=/C=CN/ST=ZJ/L=HZ/O=XXXX/OU=XXXX/CN=XXX.XXX.XXX.XXX/emailAddress=xxxx@mail.com

? Getting CA Private Key

? Enter pass phrase for private/ca.key:123456

?

?

3.把客户端证书client.pem 转换成 浏览器可以识别的PKCS12 格式

?

?

openssl pkcs12 -export -clcerts -in client/client.pem -inkey client/client.key  -out client/client.p12 -name 10.90.3.122
?

?

? ? Enter Export Password:c123456?

? ? Verifying - Enter Export Password:c123456

?

4.服务端配置支持客户端证书认证.

1).创建和填充trust-store

? ?依次执行下面命令.

?

keytool -genkey -alias dummy -keyalg RSA -keystore truststore.jks
keytool -delete -alias dummy -keystore truststore.jks
keytool -import -v -trustcacerts -alias my_ca -file public/ca.crt -keystore truststore.jks
?

?

2.).使tomcat 加载信任库.

? ?配置下面环境变量

?

CATALINA_OPTS="-Djavax.net.ssl.trustStore=your_path_to/truststore.jks -Djavax.net.ssl.trustStorePassword=your_password"

?

3.)配置tomcat server.xml 文件启用客户端认证.

?

<Connector port="8443" protocol="HTTP/1.1"  SSLEnabled="true"               maxThreads="150" scheme="https" secure="true"               clientAuth="true"    keystoreFile="F:/temps/ca3/server.jks"   keystorePass="e123456"    sslProtocol="TLS" />
?

?

4.)导入客户端证书.

?导入client.p12 到客户端浏览器测试.

?

?

Tomcat 七 配置 SSL

?

?

Tomcat 七 配置 SSL

?

?

热点排行