SSL安装 tomcat jks AVR

使用版本JDK1.7,tomcat 7.0.39,openssl安装版0.9.8

使用操作系统 win7

命令行:

1.生成CA私钥以及自签名根证书

①生成CA私钥

openssl genrsa -out F:\CA\ca-key.pem 1024

②生成待签名根证书

openssl req -new -x509 -keyout F:\CA\ca-key.pem -out F:\CA\ca-req.csr -config openssl.cnf

③用CA私钥对根证书进行自签名

openssl x509 -req -in F:\CA\ca-req.csr -out F:\CA\ca-cert.pem -signkey F:\CA\ca-key.pem -days 365

2.生成server端证书

①生成KeyPair,最好keyPass与storePass一样,方便

keytool -genkey -alias ying -validity 365 -keyalg RSA -keysize 1024 -keypass yingevil -storepass yingevil -dname "cn=localhost,ou=department,o=company,l=Beijing,st=Beijing,c=CN" -keystore F:\CA\ying.jks

②生成待签名证书

keytool -certreq -alias ying -sigalg MD5withRSA -file F:\CA\ying.csr -keypass yingevil -keystore F:\CA\ying.jks -storepass yingevil

③用CA私钥进行签名

openssl x509 -req -in F:\CA\ying.csr -out F:\CA\ying-cert.pem -CA F:\CA\ca-cert.pem -CAkey F:\CA\ca-key.pem -days 365 -set_serial 1

3.导入信任的CA根证书到JAVA的默认位置%JAVA_HOME%\jre\lib\security\cacerts

keytool -import -v -trustcacerts -storepass changeit -alias root_ying -file F:\CA\ca-cert.pem -keystore %JAVA_HOME%\jre\lib\security\cacerts

4.把CA签名后的server端证书导入keystore

keytool -import -v -trustcacerts -storepass yingevil -alias ying -file F:\CA\ying-cert.pem -keystore F:\CA\ying.jks

5.查看server端的keystore,查看JDK

keytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

6.Tomcat服务器端,在conf/server.xml中加入下面一段配置

<Connector port="443"
protocol="HTTP/1.1" SSLEnabled="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLCertificateFile="F:\server\apache-tomcat-7.0.39\conf\ca-cert.cer"
SSLCertificateKeyFile="F:\server\apache-tomcat-7.0.39\conf\ca-key.pem"
keystoreFile="F:\server\apache-tomcat-7.0.39\conf\ying.jks"
keystorePass="yingevil"/>

最后将ying.jks,ca-cert.cer(原身是ca-cert.pem,.pem文件是ASCII编码的,直接改文件格式为.cer就可以),ca-key.pem三个文件拷贝到服务器conf下即可。

将java keystore file转化为p12格式: 
keytool -importkeystore -srckeystore ying.jks -destkeystore ying.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass yingevil -deststorepass yingevil -srcalias ying -destalias ying -srckeypass yingevil -destkeypass yingevil -noprompt

7.服务端网络程序中的web.xml也要配置一下(加入下面一段即可),这样可以自动将http协议强制转换成https协议访问

<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>

<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

 

可查阅官方文档http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

 新建openssl.conf可参考:http://www.openssl.org/docs/apps/req.html#EXAMPLES

参考文章

http://zhumeng8337797.blog.163.com/blog/static/100768914201241645258903/

http://yushan.iteye.com/blog/434955

http://www.albertsong.com/read-99.html

你可能感兴趣的:(tomcat)