https 证书生产及服务器配置

# 单向认证


## server端


step1:为服务端生成秘钥库


```
sudo keytool -genkeypair -alias server_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore


"Enter keystore password",输入要设置的keystore的password,例如输入"carCrm747"


"Re-enter new password:",重复输入"carCrm747"


"What is your first and last name?",注意要输入的是服务的域名或者机器名等,例如输入"localhost"


"What is the name of your organizational unit?",输入无特殊要求,例如输入"carfinance"


"What is the name of your organization?",输入无特殊要求,例如输入"mljr"


"What is the name of your City or Locality?",输入无特殊要求,例如输入"beijing"


"What is the name of your State or Province?",输入无特殊要求,例如输入"beijing"


"What is the two-letter country code for this unit?",输入无特殊要求,例如输入"cn"


"Enter key password for <server_key_pair_1> (RETURN if same as keystore password):",注意server_key_pair_1这个秘钥的password必须和keystore保持一致,所以此处直接回车即可
```


step2:tomcat配置


修改tomcat的server.xml,将下面这段


```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
     This connector uses the NIO implementation that requires the JSSE
     style configuration. When using the APR/native implementation, the
     OpenSSL style configuration is required as described in the APR/native
     documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"/>
-->
```


改为


```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
     This connector uses the NIO implementation that requires the JSSE
     style configuration. When using the APR/native implementation, the
     OpenSSL style configuration is required as described in the APR/native
     documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" 
    keystoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.keystore" keystorePass="carCrm747"/>
```


注意clientAuth="false"表示是单向认证,keystoreFile的值设为服务端keystore的路径,keystorePass是服务端keyStore的密码


## cleint端


无特殊配置


## 验证


step1:用修改过配置后的tomcat启动carfinance-crm-httpsdemo-server模块


step2:使用客户端调用服务端接口


运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的UnilateralHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求


# 双向认证


## server端


step1:为服务端生成秘钥库,注意事项和单向认证的step1相同


```
sudo keytool -genkeypair -alias server_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
```


keystore的password设置为"carCrm747"


step2:导出服务端证书


```
sudo keytool -export -alias server_key_pair_1 -validity 365 -file /usr/local/crm_keystore/server/server_key_1.crt -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
```


需要输入keystore密码,输入"carCrm747"


step3:用客户端证书生产服务端信任证书库(客户端证书的生成参考后面的client端部分,这个步骤要在客户端生成证书完成之后进行)


```
sudo keytool -import -alias client_crt -validity 365 -file /usr/local/crm_keystore/client/client_key_1.crt -keystore /usr/local/crm_keystore/server/carfinance.crm.server.truststore
```


注意这个步骤要为truststore设置密码,例如设为"890890"


step4:tomcat配置
      
修改tomcat的server.xml,将下面这段
      
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
    This connector uses the NIO implementation that requires the JSSE
    style configuration. When using the APR/native implementation, the
    OpenSSL style configuration is required as described in the APR/native
    documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"/>
-->
```
      
改为


```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
    This connector uses the NIO implementation that requires the JSSE
    style configuration. When using the APR/native implementation, the
    OpenSSL style configuration is required as described in the APR/native
    documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="true" sslProtocol="TLS"
    keystoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.keystore" keystorePass="carCrm747"
    truststoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.truststore" truststorePass="890890"/>
```


注意clientAuth="true"表示是双向认证,keystoreFile的值设为服务端keystore的路径,keystorePass是服务端keyStore的密码,truststoreFile是服务端truststore的路径,truststorePass是服务端truststore的密码


## cleint端


step1:为客户端生成秘钥库


```
sudo keytool -genkeypair -alias client_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/client/carfinance.crm.client.keystore


"Enter keystore password",输入要设置的keystore的password,例如输入"123456"


"Re-enter new password:",重复输入"123456"


"What is your first and last name?",输入无特殊要求,例如输入"httpsdemo-client"


"What is the name of your organizational unit?",输入无特殊要求,例如输入"carfinance"


"What is the name of your organization?",输入无特殊要求,例如输入"mljr"


"What is the name of your City or Locality?",输入无特殊要求,例如输入"beijing"


"What is the name of your State or Province?",输入无特殊要求,例如输入"beijing"


"What is the two-letter country code for this unit?",输入无特殊要求,例如输入"cn"


"Enter key password for <client_key_pair_1> (RETURN if same as keystore password):",输入无特殊要求,例如直接回车使用和keystore相同的秘钥
```


step2:导出客户端证书


```
sudo keytool -export -alias client_key_pair_1 -validity 365 -file /usr/local/crm_keystore/client/client_key_1.crt -keystore /usr/local/crm_keystore/client/carfinance.crm.client.keystore
```


需要输入keystore密码,输入"123456"


step3:用服务端证书生成客户端信任证书库(服务端证书的生成参考前面的server端部分,这个步骤要在服务端生成证书完成之后进行)


```
sudo keytool -import -alias server_crt -validity 365 -file /usr/local/crm_keystore/server/server_key_1.crt -keystore /usr/local/crm_keystore/client/carfinance.crm.client.truststore
```


注意这个步骤要为truststore设置密码,例如设为"654321"


## 验证


step1:用修改过配置后的tomcat启动carfinance-crm-httpsdemo-server模块


step2:使用客户端调用服务端接口


运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的UnilateralHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求,请求失败,因为没有提供服务端信任的客户端证书给服务端


运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的MutualHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求,请求成功


# 参考


[http client官网](http://hc.apache.org/)


[troubleshoot: httpclient向HTTPS发送数据建立SSL连接时的异常](http://zhuyuehua.iteye.com/blog/1102347)


[troubleshoot: 单向认证中信任自签名证书](http://stackoverflow.com/questions/1828775/how-to-handle-invalid-ssl-certificates-with-apache-httpclient)


[java tomcat 搭建SSL双向认证以及httpclient代码](http://ian.wang/118.htm)


[java tomcat 搭建SSL双向认证以及httpclient代码](http://yuur369.iteye.com/blog/1728058)


[HttpClient如何访问需要提交客户端证书的SSL服务](http://blog.csdn.net/wanglha/article/details/49272551)


[keystore type的使用](http://stackoverflow.com/questions/11536848/keystore-type-which-one-to-use)



















评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值