接上篇tomcat ssl单向认证[url]http://qerooy.iteye.com/blog/2252786[/url],本文在单向认证的基础上完成双向认证配置。
1、使用以下命令生成客户端证书,并将此证书安装到客户端(此证书请安装到个人目录下);
在此密码录入为123456
[img]http://dl2.iteye.com/upload/attachment/0112/6966/dfeeded7-8f45-3579-9195-e0e697ea8adb.png[/img]
2、从客户端p12证书导出cer证书;
3、让服务端信任客户端证书,复制原单向认证文件为tomcat_double.keystore,将client1.cer导入到服务器证书库中;
[img]http://dl2.iteye.com/upload/attachment/0112/7032/4ba4cb5a-7abe-3656-887f-0d473eeb3196.png[/img]
可通过如下命令检查证书情况
4、更改配置文件server.xml,将单向认证改为双向认证;
修改为
5、配置完成后,重启tomcat,访问便可看到提示需要证书;
[img]http://dl2.iteye.com/upload/attachment/0112/7056/1dca5259-fd58-3b93-bccc-6bc71ea5ce9e.png[/img]
1、使用以下命令生成客户端证书,并将此证书安装到客户端(此证书请安装到个人目录下);
keytool -genkey -v -alias client1 -keyalg RSA -storetype PKCS12 -keysize 1024 -validity 365 -keystore "F:\cert\client1.p12"
在此密码录入为123456
[img]http://dl2.iteye.com/upload/attachment/0112/6966/dfeeded7-8f45-3579-9195-e0e697ea8adb.png[/img]
2、从客户端p12证书导出cer证书;
keytool -export -alias client1 -storetype PKCS12 -keystore "F:\cert\client1.p12" -storepass 123456 -rfc -file "F:\cert\client1.cer"
3、让服务端信任客户端证书,复制原单向认证文件为tomcat_double.keystore,将client1.cer导入到服务器证书库中;
keytool -import -alias client1 -v -file "F:\cert\client1.cer" -keystore "F:\cert\tomcat_double.keystore"
[img]http://dl2.iteye.com/upload/attachment/0112/7032/4ba4cb5a-7abe-3656-887f-0d473eeb3196.png[/img]
可通过如下命令检查证书情况
keytool -list -keystore "F:\cert\tomcat_double.keystore"
4、更改配置文件server.xml,将单向认证改为双向认证;
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="F:\cert\tomcat.keystore" keystorePass="123456" />
修改为
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="F:\cert\tomcat_double.keystore" keystorePass="123456"
truststoreFile="F:\cert\tomcat_double.keystore" truststorePass="123456" />
5、配置完成后,重启tomcat,访问便可看到提示需要证书;
[img]http://dl2.iteye.com/upload/attachment/0112/7056/1dca5259-fd58-3b93-bccc-6bc71ea5ce9e.png[/img]