注:SSL双向数字证书认证原理,请阅读上篇文章《SSL 与 数字证书 的基本概念和工作原理》
一:生成CA证书
目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
openssl中有如下后缀名的文件
.key格式:私有的密钥
.csr格式:证书签名请求(证书请求文件),含有公钥信息,certificate signing request的缩写
.crt格式:证书文件,certificate的缩写
.crl格式:证书吊销列表,Certificate Revocation List的缩写
.pem格式:用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式
网上下载一个openssl软件
1.创建私钥: (此时会创建一个密钥对,即一个公钥一个私钥)
C:\OpenSSL\bin>openssl genrsa -out ca/sotech.key 2048
2.创建证书请求 : 这里将生成一个新的文件cert.csr,即一个证书请求文件,你可以拿着这个文件去数字证书颁发机构(即CA)申请一个数字证书。CA会给你一个新的文件cacert.pem,那才是你的数字证书。
C:\OpenSSL\bin>openssl req -new -key ca/sotech.key -out ca/sotech.csr
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:LN
Locality Name (eg, city) []:DL
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SOTECH
Organizational Unit Name (eg, section) []:HQ
Common Name (eg, YOUR name) []:SOTECH
Email Address []:test@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:x1ex5GjG
An optional company name []:x1ex5GjG
3.自签署证书 :
生成cer文件
C:\OpenSSL\bin>openssl x509 -req -in ca/sotech.csr -signkey ca/sotech.key -days 10950 -out ca/sotech.cer
-days 3650 控制有效期限为3650天,默认为30天。
二.生成server证书。
1.创建私钥 :
C:\OpenSSL\bin>openssl genrsa -out server/server_100.key 2048
2.创建证书请求 :
C:\OpenSSL\bin>openssl req -new -key server/server_100.key -out server/server_100.csr
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:LN
Locality Name (eg, city) []:AS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AK
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:10.18.26.100 注释:一定要写服务器所在的ip地址, 不建议写localhost
Email Address []:test@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:46ZHzJc1
An optional company name []:46ZHzJc1
3.自签署证书 :
C:\OpenSSL\bin>openssl x509 -req -in server/server_100.csr -signkey server/server_100.key -CA ca/sotech.cer -CAkey ca/sotech.key -CAcreateserial -days 10950 -out server/server_100.pem
4.将证书导出成浏览器支持的.p12格式 :
C:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in server/server_100.pem -inkey server/server_100.key -out server/server_100.p12
密码: 46ZHzJc1
三.生成client证书。
1.创建私钥 :
C:\OpenSSL\bin>openssl genrsa -out client/client_admin.key 2048
2.创建证书请求 :
C:\OpenSSL\bin>openssl req -new -key client/client_admin.key -out client/client_admin.csr
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:LN
Locality Name (eg, city) []:AS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AK
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:admin
Email Address []:test@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:46ZHzJc1
An optional company name []:46ZHzJc1
3.自签署证书 :
C:\OpenSSL\bin>openssl x509 -req -in client/client_admin.csr -signkey client/client_admin.key -CA ca/sotech.cer -CAkey ca/sotech.key -CAcreateserial -days 10950 -out client/client_admin.pem
4.将证书导出成浏览器支持的.p12格式 :
C:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in client/client_admin.pem -inkey client/client_admin.key -out client/client_admin.p12
密码: changeit
四.根据ca证书生成jks文件
C:\OpenSSL\bin>"C:\Program Files\Java\jdk1.7.0_80\bin\keytool" -keystore C:\openssl\bin\jks\truststore.jks -keypass 46ZHzJc1 -storepass 46ZHzJc1 -alias sotech -import -trustcacerts -file C:\openssl\bin\ca\sotech.cer
五.配置tomcat ssl
修改conf/server.xml。tomcat7中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径,或者直接复制到C:\apache-tomcat-7.0.75目录下
tomcat7的配置:
<Connector port="8443" protocol=www.365soke.com"org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https"www.xycheng178.com secure="true"
clientAuth="true" sslProtocol=www.dfgjyl.cn"TLS"
keystoreFile="server_100.p12" keystorePass=www.michenggw.com"46ZHzJc1" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass=www.furggw.com"46ZHzJc1" truststoreType="JKS" />
六.导入证书
将sotech.p12,client_admin.p12分别导入到IE中去(打开IE->;Internet选项->内容->证书)。
sotech.p12导入至受信任的根证书颁发机构, client_admin.p12导入至个人
七.验证ssl配置是否正确访问你的应用https://localhost:8443/,如果配置正确的话会出现请求你数字证书的对话框。
另: web.xml
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
SSL的授权设置(window环境写不写都可以,待研究)
<security-constraint>
<!-- Authorization setting www.mengzhidu178.com for SSL -->
<web-resource-collection>
<web-resource-name>SSL<www.hengy178.com /web-resource-name>
<url-pattern>/SSL/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL<www.huarenyl.cn /transport-guarantee>
</user-data-constraint>
</security-constraint>
openSSL双向数字证书认证
最新推荐文章于 2022-02-23 21:34:54 发布