tomcat 双向ssl认证

本文根据http://joesmart.iteye.com/blog/1532929修改

 Tomcat 配置 SSL

 

说明:

配置的是Tomcat 7 的JSSE  Connector,对于配置APR请继续Google.

 

配置流程:

一.Tomcat 服务端SSL认证配置.

1.配置一个CA证书(如果直接使用授权认证机构本步骤可以跳过)

   1.)生成CA私有密钥  (红色标记为CA 私有密钥的验证密码下面很多地方会用到)

 

Java代码  

1. openssl genrsa -des3 -out private/ca.key 1024  

 

       Generating RSA private key, 1024bit long modulus

    ...............................++++++ ......++++++ e is 65537 (0x10001)

       Enter pass phrase for private/ca.key:123456 

       Verifying - Enter pass phrase for private/ca.key:123456

 

    2.)生成CA证书 (ca.key 的密码为上一步骤输入的密码)

生成的ca.crt 就是 CA的认证证书,可以导入到浏览器的受信任机构中区.而那些由这个CA证书签名的

        的客户端证书就可以被浏览器认证通过.

Java代码  

1.  openssl req -new -x509 -key private/ca.key -out public/ca.crt -days 3650  

 

        Enter pass phrase for private/ca.key:123456

        You are about to be asked to enter information that will be incorporated

         into your certificate request.

        What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

         For some fields there will be a default value,

         If you enter '.', the field will be left blank.

         -----

         Country Name (2 letter code) [AU]:CN

          State or Province Name (full name) [Some-State]:ZJ

         Locality Name (eg, city) []:HZ

         Organization Name (eg, company) [Internet Widgits Pty Ltd]:orgnation

         Organizational Unit Name (eg, section) []:orgnation

         Common Name (e.g. server FQDN or YOUR name) []:orgnation

         Email Address []:xxx@mail.com

 

2.  使用CA证书签名服务端证书

   1.)生成服务端私钥

 

Java代码  

1. openssl genrsa -des3 -out private/server.key  

 

 

1024 Generating RSA private key, 1024 bit long modulus

......................................................++++++ .....++++++ e is 65537 (0x10001)

Enter pass phrase for private/server.key:s123456

Verifying - Enter pass phrase for private/server.key:s123456

 

   2.)创建服务端证书签名请求

Common Name 配置很重要,可以配置tomcat 所在服务器的IP地址或域名.

如果是本地测试的话可以配置localhost.

Java代码  

1. openssl req -new -key private/server.key -out server.csr  

 

Enter pass phrase for private/server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:ZJ

Locality Name (eg, city) []:HZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX

Organizational Unit Name (eg, section) []:Development

Common Name (e.g. server FQDN or YOUR name) []:xxx.xxx.xxx.xxx (这里很重要重要)

Email Address []:xxxx@mail.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:csr123456

An optional company name []:xxx

  3.) 使用 CA证书和CA私钥给服务端证书请求签名

       生成的server.crt 为服务端证书.

Java代码  

1. openssl x509 -req -days 360 -in server.csr -CA public/ca.crt -CAkey private/ca.key -CAcreateserial -out public/server.crt  

 

Signature ok

subject=/C=CN/ST=ZJ/L=HZ/O= XXX/OU=Development/CN= xxx.xxx.xxx.xxx /emailAddress=xxxx@mail.com

Getting CA Private Key

Enter pass phrase for 123456

        private/ca.key:123456

 

  4.)把服务端代码转换浏览器可以识别的PCS12 格式

    服务端证书密码暂时无用.

 

Java代码  

1. $ openssl pkcs12 -export -in public/server.crt -inkey private/server.key -out server.p12  

 

 

     Enter pass phrase for private/server.key:s123456

     Enter Export Password: e123456

     Verifying - Enter Export Password:e123456

 

 5.)生成信任库中

   使用jetty 中的PKCS12Import 工具类完成转换.(jetty-5.1.10.jar 可在附件中下载)

 

 

Java代码  

1. java -cp jetty-5.1.10.jar org.mortbay.util.PKCS12Import server.p12  server.jks  

    

 

    Enter input keystore passphrase: e123456

    Enter output keystore passphrase: e123456

    Alias 0: 1

    Adding key for alias 1

 

  6.)使用下面命令查看jks文件中包含的证书信息.

 

Java代码  

1. keytool -v -list -keystore server.jks  

 

 

  7.)配置Tomcat SSL Connector.

    在server.xml文件中配置下面内容

 

Xml代码  

1. <Connector port="8443" protocol="HTTP/1.1"  SSLEnabled="true"  
2.                maxThreads="150" scheme="https" secure="true"  
3.                clientAuth="false"   
4.                keystoreFile="F:/temps/ca3/server.jks"  
5.                keystorePass="e123456"   
6.                sslProtocol="TLS" />  

 

 8.)导入CA 证书(ca.crt)到客户端浏览器的受信任认证机构的证书列表中

 9.)使用客户端浏览器访问: https://xxx.xxx.xxx.xxx:8443 .访问成功的话表示服务端SSL配置成功.

 

二 配置客户端证书实现客户端和服务端双向认证

1. 创建private key 和证书签名请求

 

Java代码  

1. $ openssl req -new -newkey rsa:1024 -nodes -out client/client.req -keyout client/client.key  

 

Generating a 1024 bit RSA private key

.................++++++

................................................++++++

writing new private key to 'client/client.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:ZJ

Locality Name (eg, city) []:HZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXX

Organizational Unit Name (eg, section) []:XXXX

Common Name (e.g. server FQDN or YOUR name) []:XXXXX

Email Address []:xxxx@mail.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:c123456

An optional company name []:XXX

 

2.使用CA证书签名客户端证书签名请求.

 

Java代码  

1. $ openssl x509 -CA public/ca.crt -CAkey private/ca.key -CAserial public/ca.srl -req -in client/client.req  -out client/client.pem -days 365  

 

 

 

  Signature ok

  subject=/C=CN/ST=ZJ/L=HZ/O=XXXX/OU=XXXX/CN=XXX.XXX.XXX.XXX/emailAddress=xxxx@mail.com

  Getting CA Private Key

  Enter pass phrase for private/ca.key:123456

 

 

3.把客户端证书client.pem 转换成 浏览器可以识别的PKCS12 格式

 

 

Java代码  

1. openssl pkcs12 -export -clcerts -in client/client.pem -inkey client/client.key  -out client/client.p12 -name 10.90.3.122  

 

 

    Enter Export Password:c123456 

    Verifying - Enter Export Password:c123456

 

4.服务端配置支持客户端证书认证.

1).创建和填充trust-store

   依次执行下面命令.

 

Java代码  

1. keytool -genkey -alias dummy -keyalg RSA -keystore truststore.jks  

Java代码  

1. keytool -delete -alias dummy -keystore truststore.jks  

Java代码  

1. keytool -import -v -trustcacerts -alias my_ca -file public/ca.crt -keystore truststore.jks  

 

 

2.).使tomcat 加载信任库.

   配置下面环境变量

 

Java代码  

1. CATALINA_OPTS="-Djavax.net.ssl.trustStore=your_path_to/truststore.jks -Djavax.net.ssl.trustStorePassword=your_password"  

 

3.)配置tomcat server.xml 文件启用客户端认证.

 

Java代码  

1. <Connector port="8443" protocol="HTTP/1.1"  SSLEnabled="true"  
2.                maxThreads="150" scheme="https" secure="true"  
3.                clientAuth="true"   
4.                keystoreFile="F:/temps/ca3/server.jks"  
5.                keystorePass="e123456"   
6.          truststoreFile="F:/temps/ca3/server.jks"
          truststorePass="e123456"
   
7.                sslProtocol="TLS" />  

 

 

4.)导入客户端证书.

 导入client.p12 到客户端浏览器测试.