系统需求:
JDK 1.7Tomcat 7
1、通过keytools生成serverkeystore
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore d:\server.keystore注意CN必须域名
比如以后通过https://localhost:8443/path/ 访问网站
这时候CN = localhost
2、导出x509证书
keytool -export -alias tomcat -file d:\server.cer -keystore d:\server.keystore.先导出一个x509证书
3、新建client信任的trustclientkeystore.
keytool -genkey -alias trust -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trust.keystore4、添加服务器端证书进入本地信任trustclientkeystore.
keytool -import -v -alias tomcat -file d:\server.cer -keystore d:\trust.keystore前面不变
5、通过keytools生成clientkeystore
keytool -genkey -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore d:\client.keystore6、导出x509证书
keytool -export -alias client -file d:\client.cer -keystore d:\client.keystore.7、新建server信任的trustserverkeystore.
keytool -genkey -alias trustserver -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trustserver.keystore8、添加本地证书进入服务器信任trustserverkeystore.
keytool -import -v -alias client -file d:\client.cer -keystore d:\trustserver.keystore到目前为止就有2个keystore 2个trustkeystore
9、tomcat 配置
打开Tomcat根目录下的/conf/server.xml,找到如下配置段,修改如下:<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS"
keystoreFile="d:/server.keystore" keystorePass="changeit"
truststoreFile="d:/trustserver.keystore" truststorePass="changeit"
/>
10. Java 链接
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
public class Client {
/**
* @param args
* @throws Exception
*/
public static void main(String[] args) throws Exception {
HttpClient httpclient = new DefaultHttpClient();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream keyStoreIn = new FileInputStream(new File("d:/client.keystore"));
FileInputStream trustStoreIn = new FileInputStream(new File("d:/trust.keystore"));
try {
keyStore.load(keyStoreIn, "123456".toCharArray());
trustStore.load(trustStoreIn, "123456".toCharArray());
} finally {
keyStoreIn.close();
trustStoreIn.close();
}
SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore, "123456", trustStore);
httpclient.getConnectionManager().getSchemeRegistry().register(new Scheme("https",socketFactory, 8443));
HttpPost httpget = new HttpPost("https://localhost:8443/SSOClient/login.html");
System.out.println("Request:" + httpget.getRequestLine());
HttpResponse response = httpclient.execute(httpget);
System.out.println(response.getStatusLine());
httpclient.getConnectionManager().shutdown();
}
}
11:IE连接
IE 导入client.cer 竟然无法链接,
经测试,IE只有导入PKCS12 类型keystore才能正常链接,而PKCS12类型keystore 在java中会包无效的格式,
所以如要IE登陆,需要创建PKCS12 C keystore然后在server端加入对C的信任,才能IE链接。即server信任了2个Cer,IE的和Java的
keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore custom.p12 -storepass changeit -validity 3650
keytool -export -alias custom -file custom.cer -keystore d:\custom.p12 -storepass changeit -storetype PKCS12 -rfc
keytool -import -v -alias custom -file custom.cer -keystore d:\trustserver.keystore -storepass changeit
错误解决:
严重: Failed to initialize end point associated with ProtocolHandler ["http-apr-443"]java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
方法:
在 Tomcat 中注释掉 下面的配置:
<ListenerclassName="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
重新启动 Tomcat ,8443已经能正常启动
参考文档
http://blog.chinaunix.net/uid-78707-id-372088.html
http://www.blogjava.net/stone2083/archive/2007/12/20/169015.html
完整命令如下:
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore d:\server.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"
keytool -export -alias tomcat -file d:\server.cer -keystore d:\server.keystore
keytool -genkey -alias trust -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trust.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"
keytool -import -v -alias tomcat -file d:\server.cer -keystore d:\trust.keystore
keytool -genkey -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore d:\client.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"
keytool -export -alias client -file d:\client.cer -keystore d:\client.keystore
keytool -genkey -alias trustserver -keyalg RSA -keypass changeit -storepass changeit -keystore d:\trustserver.keystore -dname "cn=10.50.50.51,ou=hoperun,o=hoperun,l=xian,st=shanxi,c=cn"
keytool -import -v -alias client -file d:\client.cer -keystore d:\trustserver.keystore
keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore d:\custom.p12 -storepass changeit -validity 3650
keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass changeit -keystore custom.p12 -storepass changeit -validity 3650
keytool -export -alias custom -file custom.cer -keystore d:\custom.p12 -storepass changeit -storetype PKCS12 -rfc
keytool -import -v -alias custom -file custom.cer -keystore d:\trustserver.keystore -storepass changeit