SSL双向证书生成的步骤如下:
1. 生成服务端的keystore和truststore文件
1.1. 以jks格式生成服务器端包含Public key和Private Key的keystore文件,keypass与storepass务必要一样,因为在tomcat server.xml中只配置一个password
CN=Java Duke, OU=Java Software Division, O=Sun Microsystems Inc, C=US
(这些指主体的通用名、组织单位、组织和国家。)
keytool -genkey -alias server -keystore serverKeystore.jks -keypass ChinaMobile -storepass ChinaMobile -keyalg RSA -keysize 512 -validity 365 -v -dname "CN = ChinaMobile,O = ChinaMobile,DC = Server Https,DC = ChinaMobile,OU = ChinaMobile"
正在为以下对象生成 512 位 RSA 密钥对和自签名证书 (SHA1withRSA)(有效期为 365 天):
CN=ChinaMobile, O=ChinaMobile, DC=Server Https, DC=ABC, OU=ChinaMobile
[正在存储 serverKeystore.jks]
1.2. 从keystore中导出别名为server的服务端证书
keytool -export -alias server -keystore serverKeystore.jks -storepass ChinaMobile -file server.cer
1.3. 将server.cer导入客户端的信任证书库clientTruststore.jks。
keytool -import -alias trustServer -file server.cer -keystore clientTruststore.jks -storepass ChinaMobile
所有者:CN=W03GCA01A, O=ABC BANK, DC=Server Https, DC=ABC, OU=Firefly Technology And Operation
签发人:CN=W03GCA01A, O=ABC BANK, DC=Server Https, DC=ABC, OU=Firefly Technology And Operation
序列号:4c90231d
有效期: Wed Sep 15 09:36:29 CST 2010 至Thu Sep 15 09:36:29 CST 2011
证书指纹:
MD5:39:DF:58:B1:09:F6:27:48:AD:BF:89:F0:64:48:81:1F
SHA1:3D:C6:A9:52:D3:F6:D1:83:A0:CC:05:A7:EC:B8:05:EF:D3:71:5C:AC
签名算法名称:SHA1withRSA
版本: 3
信任这个认证? [否]: y
认证已添加至keystore中
2. 生成客户端的keystore和truststore文件:
1.1. 以jks格式生成服务器端包含Public key和Private Key的keystore文件。
keytool -genkey -alias client -keystore clientKeystore.jks -keypass ChinaMobile -storepass ChinaMobile -keyalg RSA -keysize 512 -validity 365 -v -dname "CN = ChinaMobile,O = ChinaMobile,DC = Server Https,DC = ChinaMobile,OU = ChinaMobile"
1.2. 从keystore中导出别名为client的客户端证书.
keytool -export -alias client -keystore clientKeystore.jks -storepass ChinaMobile -file client.cer
1.3. 将client.cer导入服务端的信任证书库serverTruststore.jks。
keytool -import -alias trustClient -file client.cer -keystore serverTruststore.jks -storepass ChinaMobile