实现Tomcat双向认证

概念：

SSL: Security Socket Layer Protocol
公钥与私钥：对于OpenSSL, 私钥里面也包括了公钥信息。 所以公钥不需要单独生成。
公钥生成算法: 最流行的与证书相关的为 RSA和DSA.

详述：

要实现SSL双向认证， 你必须同时配置Web服务器证书和客户端证书， 并且需要在服务器和客户端之间正确安装根证书。所以， 要配置好双向SSL， 我们需要有这几样东西。

下面我一点点讲述它的详细步骤, 总共分为六个大步：

准备工作：

创建一个ssl目录， 在ssl里面再创建 ca 目录， client 目录， server 目录, jks目录, 然后定位到ssl目录.

第一大步：生成自签名CA证书

A) 创建CA私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out ca/ca-key.pem 2048
genrsa 的意思就是生成rsa 私钥
-out 参数指的是生成的私钥放哪里
2048这个参数在很多其它网上的文档里面写的都是1024, 我写2048是在openssl.org官方网站里面看到的。
如下：The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon.
B) 用CA私钥生成CA证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
req 的意思是生成CA证书请求
-new 估计是表示用来生成新的证书请求
-out 表示将证书请求文件放到哪里
-key 表示用哪个私钥来生成证书请求

键入回车之后，系统会要求你填写如下一系列的信息：
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn //哪个国家
State or Province Name (full name) [Some-State]:zhejiang //哪个省份
Locality Name (eg, city) []:hangzhou //哪个城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian //哪个公司
Organizational Unit Name (eg, section) []:CPT //部门名称
Common Name (eg, YOUR name) []:zhizhang //你的名字
Email Address []:zhouzz@lianlian.com //你的邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit //密码
An optional company name []:lianlian group //公司还可以叫什么名字

理论上来讲， 生成的证书请求交由CA机构后，它会颁发由CA签发的证书， 我们这里由自签名证书来代替。

C) 用CA私钥和CA证书请求生成CA自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 1095
键入回车之后，系统提示签名Ok：
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=zhizhang/emailAddress=zhouzz@lianlian.com
Getting Private key

第二大步：生成server 证书

A) 创建Server私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out server/server-key.pem 2048
B) 用Server私钥生成Server证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out server/server-req.csr -key server/server-key.pem
键入回车之后，系统会要求你填写如下一系列的信息：
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian
Organizational Unit Name (eg, section) []:CPT
Common Name (eg, YOUR name) []:localhost //这里应当跟CA证书不一样， 应当是服务器域名或是IP
Email Address []:zhouzz@lianlian.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:lianlian group

C) 用Server私钥, Server证书请求, CA私钥和CA证书， 生成Server自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 1095
系统返回签名OK
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=localhost/emailAddress=zhouzz@lianlian.com
Getting Private key
Getting CA Private Key

D) Server将证书导出成浏览器支持的.p12格式
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
键入指令后，系统会要求输两次密码: changeit
Enter Export Password:
Verifying - Enter Export Password:


第三大步：生成client 证书
A) 创建Client私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out client/client-key.pem 2048
键入回车后返回:
Generating RSA private key, 2048 bit long modulus
.....................................................+++
..............+++
e is 65537 (0x10001)

B) 用Client私钥生成Client证书请求

zhou@ubuntu:~/ssl$ openssl req -new -out client/client-req.csr -key client/client-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian
Organizational Unit Name (eg, section) []:CPT
Common Name (eg, YOUR name) []:clienthost //这里我不太清楚具体应当写什么， 我写的是客户端服务器的地址。
Email Address []:zhouzz@lianlian.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:lianlian group
C) 用Client私钥, Client证书请求, CA私钥和CA证书， 生成Client自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 1095
系统返回签名OK
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=clienthost/emailAddress=zhouzz@lianlian.com
Getting Private key
Getting CA Private Key
D) 将Client证书导出成浏览器支持的.p12格式
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
键入指令后，系统会要求输两次密码: changeit
Enter Export Password:
Verifying - Enter Export Password:

有的时候会需要指定别名， 则再加一个参数
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 -name client.lianlian.com


第四大步：根据CA证书生成truststore JKS文件(我猜这简写的意思可能是Java Key Store)
A) 生成truststore文件
zhou@ubuntu:~/ssl$ keytool -keystore jks/truststore.jks -keypass changeit -storepass lianlian.com -alias ca -import -trustcacerts -file ca/ca-cert.pem
键入回事后，提示是否信息此证书，输入yes, 则生成truststore成功。

Owner: EMAILADDRESS=zhouzz@lianlian.com, CN=zhizhang, OU=CPT, O=lianlian, L=hangzhou, ST=zhejiang, C=cn
Issuer: EMAILADDRESS=zhouzz@lianlian.com, CN=zhizhang, OU=CPT, O=lianlian, L=hangzhou, ST=zhejiang, C=cn
Serial number: c14463d09ba37b39
Valid from: Fri Jan 29 03:33:25 PST 2010 until: Mon Jan 28 03:33:25 PST 2013
Certificate fingerprints:
MD5: D6:4A:7E:89:59:27:88:63:B5:28:2C:38:EB:44:B5:B6
SHA1: BA:26:16:C4:4B:1C:0B:65:F2:CB:CD:DB:DF:E1:D1:C3:70:55:0D:2A
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore

第五大步：配置Tomcat SSL
tomcat6.0的配置：
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:\\app\\ssl\\ssl\\server\\server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="D:\\app\\ssl\\ssl\\jks\\truststore.jks" truststorePass="lianlian.com" truststoreType="JKS"/>


第六大步：测试Tomat SSL

ca-cert.pem导入至受信任的根证书颁发机构，client.p12导入至个人
访问你的应用https://ip:8443/，如果配置正确的话会出现请求你数字证书的对话框。

多写两句：
如果是Java调用， 确保在通信之前加入如下语句：

System.setProperty("javax.net.ssl.trustStore",
"\path\to\truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "lianlian.com");
System.setProperty("javax.net.ssl.keyStore",
"\path\to\client.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");