tomcat 双向认证

1.CA证书

创建CA的私钥
openssl genrsa -des3 -out ca/ca.key 1024

创建CA证书

openssl req -new -x509 -key ca/ca.key -out ca/ca.crt -days 365

 

1.server端

创建server端的私钥

openssl genrsa -des3 -out server/server.key 1024

创建server证书签名请求

openssl req -new -key server/server.key -out server/server.csr

CA签署server证书

openssl x509 -req -days 30 -in server/server.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out server/server.crt

创建server端的pkcs12文件

openssl pkcs12 -export -in server/server.crt -inkey server/server.key -out server/server.p12 -name tomcat_server

 

转换pkcs12为JKS keystore文件

./keytool -importkeystore -v  -srckeystore /home/nick/nickca/server/server.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore /home/nick/nickca/tomcat.jks -deststoretype jks -deststorepass 123456

 

3.client端

创建client端的私钥

openssl req -new -newkey rsa:1024-nodes  -out client/client.req -keyout client/client.key

创建client端证书签名请求

openssl x509 -CA ca/ca.crt -CAkey ca/ca.key -CAserial ca/ca.srl -req -in client/client.req -out client/client.pem -days 365

创建client端的pkcs12文件

openssl pkcs12 -export -clcerts -in client/client.pem -inkey client/client.key -out client/client.p12 -name tomcat_client

创建client端的jks文件

./keytool -importkeystore -v  -srckeystore /home/nick/nickca/client/client.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore /home/nick/nickca/client.jks -deststoretype jks -deststorepass 123456

 

创建信任密钥库

./keytool -genkey -alias dummy -keyalg RSA -keystore /home/nick/nickca/truststore.jks

将CA认证过的证书导入信任库

./keytool -import -v -trustcacerts -alias my_ca -file /home/nick/nickca/ca/ca.crt -keystore /home/nick/nickca/truststore.jks

 

 

4.完成之后把ca/ca.crt证书安装到受信任的认证机构中，client/client.p12安装到个人浏览器中。

 

 

配置tomcat中conf/server.xml文件，找到被注释掉的8443端口的地方，去掉注释，替换成：

   <Connector port="8443" protocol="HTTP/1.1"SSLEnabled="true"

           maxThreads="150" scheme="https"secure="true"

            clientAuth="true"sslProtocol="TLS"

           keystoreFile="C:\test\tomcat.jks"

           truststoreFile="C:\test\truststore.jks"

                          keystorePass="123456"truststorePass="123456"/>

启动tomcat,打开网页https://localhost:8443/

参考
http://blog.csdn.net/yueshengxiao/article/details/6826876