证书生成及TOMCAT下部署SSL认证的步骤说明

系统环境:

windows xp / jdk6 / tomcat7 / openssl

openssl 使用的是官方1.0.0.d 下载地址:http://www.openssl.org/related/binaries.html

 

软件环境准备:

默认安装openssl,路径为c:\OpenSSL-Win32。在e盘建一个名为cawork的目录。

-到c:\openssl-win32\bin目录下找到openssl.cfg,拷贝到cawork中,打开它,编辑[ CA_default ]节中的dir项目,设为.,即当前目录。如下:

dir=. #Where everything is kept

-在cawork中建一个空的index.txt文件(保存已签发的证书信息,openssl用的,我们不用管,但是一定要建)

-在cawork中建一个serial文件,里面写上“01”2个字符(没有双引号),这个文件用于签发证书时的编号

-在cawork中建一个空的目录 newcerts,用于存放签发证书的副本(没啥用,但是不建的话会报错)

 

具体操作步骤:

 

1. 生成根证书及对应的私钥,并设置密码

E:\cawork>openssl req -utf8 -x509 -newkey rsa:2048 -out root.cer -keyout rootKey.pem -days 3650

Loading 'screen' into random state - done

Generating a 2048 bit RSA private key

......+++

...................................................+++

writing new private key to 'rootKey.pem'

Enter PEM pass phrase:  输入私钥的密码,后面会用到。这里我用的是rootkey

Verifying - Enter PEM pass phrase: (重复输入)

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:(下面填一些证书的信息)

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:

Email Address []:

执行完毕,我们得到几个文件:根证书文件 root.cer   私钥文件 rootKey.pem

 

 2. 生成服务器证书请求及对应的私钥,并设置密码

E:\cawork>openssl req -newkey rsa:1024 -keyout serverKey.pem -out serverRequest.pem -days 365

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

...................................................++++++

.++++++

writing new private key to 'serverKey.pem'

Enter PEM pass phrase: 输入私钥的密码,后面会用到。这里我用的是serverkey

Verifying - Enter PEM pass phrase: (重复输入)

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:www.cas-server.com(必须和域名相符合,不然部署的时候会提示证书有问题)

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

执行完毕,得到服务器的证书请求文件serverRequest.pem和私钥文件 serverKey.pem

 

3. 发布证书

E:\cawork>c:\openssl-win32\bin\openssl.exe ca -config "./openssl.cfg" -cert root.cer -keyfile rootKey.pem -in serverRequest.pem -out server.cer

Using configuration from ./openssl.cfg

Loading 'screen' into random state - done

Enter pass phrase for rootKey.pem: (rootkey)

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug 22 08:23:15 2011 GMT

            Not After : Aug 21 08:23:15 2012 GMT

        Subject:

            countryName               = AU

            stateOrProvinceName       = Some-State

            organizationName          = Internet Widgits Pty Ltd

            commonName                = www.cas-server.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                48:8E:0E:46:D4:CC:26:6C:B9:4A:61:19:FC:AB:8D:DA:4E:9E:FA:5C

            X509v3 Authority Key Identifier:

                keyid:BE:83:33:87:FD:A0:ED:0C:6A:F7:2A:8A:B0:C4:0C:B8:AC:C1:67:07

 

Certificate is to be certified until Aug 21 08:23:15 2012 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

这样就得到了服务器证书server.cer

 

4.按上面2、3两步可以再生成用于客户端认证的证书。

 

5. 把服务器证书连同根证书导出成pkcs12格式的证书

E:\cawork>openssl pkcs12 -export -in server.cer -inkey serverKey.pem -out server.p12 -chain -CAfile root.cer

Loading 'screen' into random state - done

Enter pass phrase for serverKey.pem:(serverkey)

Enter Export Password:(server)

Verifying - Enter Export Password:(server)

 

6.配置tomcat,修改/conf/server.xml的内容

 

               maxThreads="150" scheme="https" secure="true"

                               keystoreFile="E:/cawork/server.p12" keystorePass="server" keystoreType="pkcs12"

                               clientAuth="false" sslProtocol="TLS" />

 

你可能感兴趣的:(tomcat,ssl,random,internet,constraints,服务器)