一:生成CA证书
目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
前提:Linux系统已经安装openssl工具
这里需要填写密码的地方全部都是123456
[root@localhost ~]# mkdir sslmaty
[root@localhost ~]# cd sslmaty/
1. 创建私钥
[root@localhost sslmaty]# openssl genrsa -out ssl.key 1024
Generating RSA private key, 1024 bit long modulus
.........................++++++
........++++++
e is 65537 (0x10001)2. 创建证书请求 :
[root@localhost sslmaty]# openssl req -new -out ssl.csr -key ssl.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:dianzhi
Organizational Unit Name (eg, section) []:dianzhi
Common Name (eg, your name or your server's hostname) []:dianzhi
Email Address []:maty@mchina.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dianzhi3. 自签署证书
[root@localhost sslmaty]# openssl x509 -req -in ssl.csr -out ssl.crt -signkey ssl.key -days 3650
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=dianzhi/OU=dianzhi/CN=dianzhi/emailAddress=maty@mchina.cn
Getting Private key4.将证书导出成浏览器支持的.p12格式
[root@localhost sslmaty]# openssl pkcs12 -export -clcerts -in ssl.crt -inkey ssl.key -out ca.p12
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost sslmaty]# ls
ca.p12 ssl.crt ssl.csr ssl.key二:生成server证书
1. 创建私钥
[root@localhost sslmaty]# cd server/
[root@localhost server]# ls
[root@localhost server]# openssl genrsa -out ser-key.key 1024
Generating RSA private key, 1024 bit long modulus
...........................++++++
...++++++
e is 65537 (0x10001)2.创建证书请求
[root@localhost server]# openssl req -new -out server-req.csr -key ser-key.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:dianzhi
Organizational Unit Name (eg, section) []:dianzhi
Common Name (eg, your name or your server's hostname) []:192.168.1.37 <em>注意:一定要写服务器所在的ip地址</em>
Email Address []:maty@mchina.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dianzhi3.自签署证书
[root@localhost server]# ls
ser-key.key server-req.csr
[root@localhost server]# openssl x509 -req -in server-req.csr -out server-crt.crt -signkey ser-key.key -CA ../ca/ssl.crt -CAkey ../ca/ssl.key -CAcreateserial -days 3650
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=dianzhi/OU=dianzhi/CN=192.168.1.37/emailAddress=maty@mchina.cn
Getting Private key
Getting CA Private Key4.将证书导出成浏览器支持的.p12格式
[root@localhost server]# openssl pkcs12 -export -clcerts -in server-crt.crt -inkey ser-key.key -out server.p12
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost server]# ls
ser-key.key server-crt.crt server.p12 server-req.csr三:生成client证书
1.创建私钥
[root@localhost server]# cd ..
[root@localhost sslmaty]# cd client/
[root@localhost client]# openssl genrsa -out client-key.key 1024
Generating RSA private key, 1024 bit long modulus
...................................++++++
.............++++++
e is 65537 (0x10001)
2.创建证书请求
[root@localhost client]# openssl req -new -out client-req.csr -key client-key.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:dianzhi
Organizational Unit Name (eg, section) []:dianzhi
Common Name (eg, your name or your server's hostname) []:dianzhi
Email Address []:maty@mchina.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dianzhi
[root@localhost client]# ls
client-key.key client-req.csr3.自签署证书
[root@localhost client]# openssl x509 -req -in client-req.csr -out client-cert.crt -signkey client-key.key -CA ../ca/ssl.crt -CAkey ../ca/ssl.key -CAcreateserial -days 3650
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=dianzhi/OU=dianzhi/CN=dianzhi/emailAddress=maty@mchina.cn
Getting Private key
Getting CA Private Key
[root@localhost client]# ls
client-cert.crt client-key.key client-req.csr4.将证书导出成浏览器支持的.p12格式
[root@localhost client]# openssl pkcs12 -export -clcerts -in client-cert.crt -inkey client-key.key -out client.p12
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost client]# ls
client-cert.crt client-key.key client.p12 client-req.csr四:根据ca证书生成jks文件
[root@localhost client]# keytool -keystore /root/truststore.jks -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file /root/sslmaty/ca/ssl.crt
Owner: EMAILADDRESS=maty@mchina.cn, CN=dianzhi, OU=dianzhi, O=dianzhi, L=Beijing, ST=Beijing, C=CN
Issuer: EMAILADDRESS=maty@mchina.cn, CN=dianzhi, OU=dianzhi, O=dianzhi, L=Beijing, ST=Beijing, C=CN
Serial number: d18e053ef0e4503e
Valid from: Tue Jul 29 08:48:53 CST 2014 until: Fri Jul 26 08:48:53 CST 2024
Certificate fingerprints:
MD5: C5:7B:57:58:EA:B6:B6:84:F6:36:28:3E:96:BF:4D:BC
SHA1: 7B:7F:EA:81:81:2C:1F:24:CC:19:A6:97:C0:3D:7F:97:1E:A0:8D:07
SHA256: F0:63:05:22:45:B1:9B:56:1C:63:3B:CB:17:95:C2:A6:BD:A5:2C:82:0D:61:29:A5:38:20:69:FC:A1:9E:25:1C
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: y
Certificate was added to keystore五:配置tomcat ssl
修改conf/server.xml。tomcat6中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径
tomcat 5.5的配置:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" />
tomcat6.0的配置:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>我自己的配置如下:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
/>
<!-- A "Connector" using the shared thread pool-->
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
/>
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/root/sslmaty/server/server.p12"
keystorePass="123456"
keystoreType="PKCS12"
truststoreFile="/root/sslmaty/truststore.jks"
truststorePass="123456"
truststoreType="JKS"
/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />六:导入证书
将ca.p12,client.p12分别导入到IE中去(打开IE->;Internet选项->内容->证书)。
ca.p12导入至受信任的根证书颁发机构,client.p12导入至个人
七:验证ssl配置是否正确访问你的应用http://ip:8443/,如果配置正确的话会出现请求你数字证书的对话框。
Nginx 方面:
# 下面这段是强制80端口非SSL客户端转向至https安全连接
# 如果希望保留http非安全连接,请去掉这里
server {
listen 80;
server_name passport.xxx.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
# 这里是SSL的相关配置
server {
listen 443;
server_name passport.xxx.com;
if ($host != 'passport.xxx.com' ) {
rewrite ^/(.*)$ http://passport.xxx.com/$1 permanent;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://127.0.0.1:8443;
}
root /data0/passport;
index index.html index.htm;
ssl on;
ssl_certificate /.../ca/ssl.crt;
ssl_certificate_key /.../ca/ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}如此一来,Nginx和Tomcat都配置完成。
注意:CAS4.0.0 在部署后如果出现Non-secure Connection,原因就是tomcat没有配置SSL加密。按照上面的方法就可以完美的配置好Nginx反向代理到tomcat的https请求。
148
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
