Windwos2000下配置Tomcat 5使用SSL
软件 | 版本 | 用途 |
Tomcat | 5.0.28 |
|
j2sdk | 1.4.2 _08 | 带有JSSE,用来产生Tocmcat使用的秘钥对(keystore) |
Openssl | 0.9.8 | 用来产生CA证书、签名并生成IE可导入的PKCS#12格式私钥 |
ActivePerl | 5.8.7 .813 | 编译openssl |
MinGW | 5.0.0 | 编译openssl |
软件安装
J2SE和Tomcat的在Windows2000下的安装过程非常简单,可以参考自带的帮助,本文就不再详细描述了。
http://www.openssl.org网站上只提供了其源码,只好自已在make一个了,其实也挺简单的。
安装mingw
将mingw安装到C:/MinGW,由于不知编译openssl时需要些什么东东,所以我选择全部安装。
安装ActivePerl
将ActivePerl安装C:/Perl目录下。
编译openssl
将openssl- 0.9.8 .tar.gz解压至c:/ openssl目录下,启动命令窗口,进入C:/openssl目录,运行以下命令:
Ms/mw |
如果没出错的话,在openssl目录下应譔产生个out目录,里面有openssl.exe等文件。
设置环境变量
在系统变量PATH的前面加上:C:/MinGW/bin;C:/OpenSSL/bin;C:/Perl/bin/;C:/j2sdk 1.4.2 _08/jre/bin;
2 建立自己的CA
2.1 建立工作目录
其结构如下:
myca--- | -----ca
|------server
|---client
进入myca目录。
2.2 生成CA私钥以及自签名根证书
4.2.2 .1 生成CA私钥
openssl genrsa -out ca/cakey.pem 1024 |
4.2.2 .2 生成待签名证书
openssl req -new -out ca/careq.csr -key ca/cakey.pem |
4.2.2 .3 用CA私钥进行自签名
openssl x509 -req -in ca/careq.csr -out ca/cacert.pem -signkey ca/cakey.pem -days 365 |
2.3 生成并安装server端证书
2.3.1 生成KeyPair
keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname " CN=redbeans luo, OU=technology, O=topfounder, L=shanghai, ST=shanghai, C=CN" -keystore server/server_keystore |
2.3.2 生成待签名证书
keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server/server.csr -keypass changeit -keystore server/server_keystore -storepass changeit |
2.3.3 用CA私钥进行签名(*)
openssl x509 -req -in server/server.csr -out server/server-cert.pem -CA ca/cacert.pem -CAkey ca/cakey.pem -CAserial ca/ca-cert.srl -CAcreateserial -days 365 |
如果没有-CAcreateserial选项会出现如下错误:
Loading 'screen' into random state - done Signature ok subject=/C=CN/ST=shanghai/L=shanghai/O=topfounder/OU=technology/CN=redbeans luo Getting CA Private Key ca/ca-cert.srl: No such file or directory 3140:error:02001002:system library:fopen:No such file or directory:./crypto/bio/ bss_file.c:349:fopen('D:/sslca/ca/ca-cert.srl','rb') 3140:error:20074002:BIO routines:FILE_CTRL:system lib:./crypto/bio/bss_file.c:35 1: |
X509参数:
usage: x509 args -inform arg - input format - default PEM (one of DER, NET or PEM) -outform arg - output format - default PEM (one of DER, NET or PEM) -keyform arg - private key format - default PEM -CAform arg - CA format - default PEM -CAkeyform arg - CA key format - default PEM -in arg - input file - default stdin -out arg - output file - default stdout -passin arg - private key password source -serial - print serial number value -subject_hash - print subject hash value -issuer_hash - print issuer hash value -hash - synonym for -subject_hash -subject - print subject DN -issuer - print issuer DN -email - print email address(es) -startdate - notBefore field -enddate - notAfter field -purpose - print out certificate purposes -dates - both Before and After dates -modulus - print the RSA key modulus -pubkey - output the public key -fingerprint - print the certificate fingerprint -alias - output certificate alias -noout - no certificate output -ocspid - print OCSP hash values for the subject name and public key -trustout - output a "trusted" certificate -clrtrust - clear all trusted purposes -clrreject - clear all rejected purposes -addtrust arg - trust certificate for a given purpose -addreject arg - reject certificate for a given purpose -setalias arg - set certificate alias -days arg - How long till expiry of a signed certificate - def 30 days -checkend arg - check whether the cert expires in the next arg seconds exit 1 if so, 0 if not -signkey arg - self sign cert with arg -x509toreq - output a certification request object -req - input is a certificate request, sign and output. -CA arg - set the CA certificate, must be PEM format. -CAkey arg - set the CA key, must be PEM format missing, it is assumed to be in the CA file. -CAcreateserial - create serial number file if it does not exist -CAserial arg - serial file -set_serial - serial number to use -text - print the certificate in text form -C - print out C code forms -md2/-md5/-sha1/-mdc2 - digest to use -extfile - configuration file with X509V3 extensions to add -extensions - section from config file with X509V3 extensions to add -clrext - delete extensions before signing and input certificate -nameopt arg - various certificate name options -engine e - use engine e, possibly a hardware device. -certopt arg - various certificate text options |
2.3.4 导入信任的CA根证书到JSSE的默认位置(%JDK_ROOT %/jre/security/lib/cacerts)
keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file |
2.3.5 把CA签名后的server端证书导入keystore
keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server/server-cert.pem -keystore server/server_keystore |
2.3.6 查看server端证书
keytool -list -keystore C:/j2sdk 1.4.2 _08/jre/lib/security/cacerts keytool -list -keystore server/server_keystore |
2.3.7 修改server.xml使Tomcat支持SSL
首先找到以下内容,去掉对其的注释。然后参照红色部分修改。如果配置Tomcat不验证客户身份,可以设置clientAuth="false"。
<Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true"> <Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="true" protocol="TLS" keystoreFile="%TCAT_HOME%/conf/server_keystore" keystorePass="changeit" /> |
2.4 在IE中安装个人证书
2.4.1 生成client私钥
openssl genrsa -out client/client-key.pem 1024
2.4.2 生成待签名证书
openssl req -new -out client/client-req.csr -key client/client-key.pem
2.4.3 用CA私钥进行签名
openssl x509 -req -in client/client-req.csr -out client/client.crt -signkey client/client-key.pem -CA ca/cacert.pem -CAkey ca/cakey.pem -CAcreateserial -days 365
2.4.4 生成client端的个人证书
因为JSSE
1.0.2
没有完全实现了对PKCS#12格式文件的操作(只能读取,不能输出),所以在这里需要用openssl制作client端的个人证书(包含私钥)。
openssl pkcs12 -export -clcerts -in client/client.crt -inkey client/client-key.pem -out client/client.p12
2.4.5 安装信任的根证书
把D:/sslca/ca/ca-key.pem改名为D:/sslca/ca/ca-key.cer,在client端的IE中使用"工具 ' Internet选项 ' 内容 ' 证书 ' 导入"把我们生成的CA根证书导入,使其成为用户信任的CA。
4.4.6 安装个人证书
把client.p12导入到client端的IE中作为个人证书,导入过程同 2.4.5 。
4.5 用IE浏览器使用SSL协议访问Tomcat
4.5.1
启动Tomcat 4.x
执行%TCAT_HOME%/bin/startup.bat启动Tomcat 4.x
4.5.2
用IE访问Tomcat 4.x
在IE浏览器的地址栏中输入https://localhost:8443,如果前面的操作都正确的话,应该可以看到Tomcat的欢迎页面。同时状态栏上的小锁处于闭合状态,表示您已经成功地与服务器建立了要求客户端验证的SSL安全连接。