Tomcat 7配置双向SSL

根证书
1.建立CA工作目录

mkdir ca

cd ca

2.生成CA私钥

openssl genrsa -out ca-key.pem 1024

3.生成待签名证书

openssl req -new -out ca-req.csr -key ca-key.pem
//ca-cert.pem即为CA根证书,可将其下发到客户端,导入作为根证书。私钥changeit

4.用CA私钥自签名
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 365

5.导出pk12
openssl pkcs12 -export -clcerts -in ca-cert.pem -inkey ca-key.pem -out ca-cert.p12

查看证书
 openssl x509 -in ca-cert.pem -noout -text -modulus
 
 如果按请求生成CA证书,由证书申请者生成请求文件certreq.txt。CA端执行签名,生成证书文件1.cer
openssl x509 -req -in c:\certreq.txt -out c:\1.cer -CA ca\ca-cert.pem -CAkey ca\ca-key.pem -days 365 -CAcreateserial

生成server证书
1.创建私钥
openssl genrsa -out server-key.pem 1024

2.创建证书请求
openssl req -new -out server-req.csr -key server-key.pem

3.自签署证书
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -CAcreateserial -days 365


4.将证书导出成浏览器支持的.p12格式,密码changeit
openssl pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12

keytool -keystore serverstore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file ~/ca/ca-cert.pem 
keytool -keystore serverstore.jks -keypass 123456 -storepass 123456 -alias server -import -trustcacerts -file ~/server/server-cert.pem

生成client证书
1.创建私钥 :
openssl genrsa -out client-key.pem 1024

2.创建证书请求 :
openssl req -new -out client-req.csr -key client-key.pem

3.自签署证书 :
openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -CAcreateserial -days 36

openssl x509 -in client-cert.pem -noout -text -modulus

4.将证书导出成浏览器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in client-cert.pem -inkey client-key.pem -out client.p12
密码:changeit

根据ca证书生成jks文件
keytool -keystore truststore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file ~/ca/ca-cert.pem

导入证书
在客户端浏览器导入ca-cert.p12作为受信任的根证书,client.p12作为个人证书

Tomcat配置
server.xml
jsse模式
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
               keystoreFile="../conf/ssl/server.p12" keystorePass="changeit" keystoreType="PKCS12"
               truststoreFile="../conf/ssl/truststore.jks" truststorePass="123456" truststoreType="JKS"/>       
  
 
apr模式
   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="true"
               SSLEnabled="true"
               SSLProtocol="all"
               SSLCipherSuite="ALL"
               SSLCertificateFile="../conf/ssl/server-cert.pem"
               SSLCertificateKeyFile="../conf/ssl/server-key.pem"
               SSLCACertificateFile="../conf/ssl/ca-cert.pem"
               SSLCACertificatePath="../conf/ssl"
               SSLVerifyDepth="15"
               SSLVerifyClient="require" />

注意事项
IE8支持SSLv3,TLS, 不支持SSLv2

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/pswdg.html