一、准备环境
搭建平台:linux+apache-tomcat-7.0.35.tar.gz
二、生成CA证书
创建目录:
#mkdir ca client server
目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
2.1 创建私钥
#openssl genrsa -out ca/ca-key.pem 1024
2.2 创建证书请求
#openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:ca
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
2.3 自签署证书
#openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
2.4 将证书导出成浏览器支持的.p12格式
#openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
密码:123456
三、生成server证书
3.1 创建私钥
#openssl genrsa -out server/server-key.pem 1024
3.2 创建证书请求
#openssl req -new -out server/server-req.csr -key server/server-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:localhost #此处一定要写服务器所在ip
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.3 自签署证书
#openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
3.4 将证书导出成浏览器支持的.p12格式
#openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
密码:123456
四、生成client证书
4.1 创建私钥
#openssl genrsa -out client/client-key.pem 1024
4.2 创建证书请求
#openssl req -new -out client/client-req.csr -key client/client-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:dong
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4.3 自签署证书
#openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
4.4将证书导出成浏览器支持的.p12格式
#openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
密码:123456
4.5 根据ca证书生成jks文件 (java keystore)
#keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file ca/ca-cert.pem
#keytool -import -keystore truststore.jks -keypass 222222 -storepass 222222 -alias client -import -trustcacerts -file client/client-cert.pem ------导入client证书,让服务器信任client证书
#keytool -list -v -keystore truststore.jks --查看keystore,密码:222222
五、配置tomcat ssl
修改conf/server.xml。tomcat中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径
xml 代码
修改如下:
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/root/ca/server/server.p12" keystorePass="123456" keystoreType="PKCS12"
truststoreFile="/root/ca/truststore.jks" truststorePass="222222" truststoreType="JKS"/>
属性说明:
clientAuth:设置是否双向验证,默认为false,设置为true代表双向验证
keystoreFile:服务器证书文件路径
keystorePass:服务器证书密码
truststoreFile:用来验证客户端证书的根证书,此例中就是ca证书
truststorePass:根证书密码
六、客户端验证
启动tomcat服务,客户端导入client.p12证书,然后访问https://ip:8443