Chinaunix首页 | 论坛 | 博客
  • 博客访问: 479072
  • 博文数量: 63
  • 博客积分: 1485
  • 博客等级: 上尉
  • 技术积分: 596
  • 用 户 组: 普通用户
  • 注册时间: 2010-02-21 14:49
文章分类

全部博文(63)

文章存档

2018年(8)

2017年(25)

2016年(10)

2012年(6)

2010年(14)

我的朋友

分类: Web开发

2017-06-19 14:41:42

0、中心思想
项目里需要https双向认证,证书的提供就不等别人了,自己卷起袖子生成证书,这样进度会快一些。
其实,对于openssl的使用,我现在也是糊里糊涂,从网上借鉴了一些方法,攒出来这个可行的脚本,跟大家分享一下。
欢迎较真的朋友指点其中的不足,这样,我就又可以提高一点了:)

1、主要内容
首先,生成一个CA,也就是根证书。
然后,生成两个证书请求,将来生成的证书分别是给client和server用的。
接着,通过CA和两个证书请求来生成两个证书(client和server)。也就是说,这两个证书(client + server)都是CA认证的了。
再往下,把CA证书转成trust.jks,把server证书转成server.jks,把这两个jks部署到tomcat里。
最后,通过curl携带client证书访问server,成功!这一步骤也可以通过浏览器来操作。

2、具体操作
2.0  构建一个openssl.cfg文件
这个文件是给CA用的,后面就只有两个步骤需要这个文件: 生成自认证的CA,和根据证书请求进行证书的生成。

点击(此处)折叠或打开

  1. [ ca ]
  2. default_ca = myca
  3. [ myca ]
  4. dir = MyCA
  5. certificate = $dir/certs/cacert.pem
  6. database = $dir/index.txt
  7. new_certs_dir = $dir/certs
  8. private_key = $dir/private/cakey.pem
  9. serial = $dir/serial
  10. default_crl_days= 7
  11. default_days = 365
  12. default_md = sha256
  13. policy = myca_policy
  14. x509_extensions = certificate_extensions
  15. [ myca_policy ]
  16. commonName = supplied
  17. stateOrProvinceName = supplied
  18. countryName = supplied
  19. emailAddress = supplied
  20. organizationName= supplied
  21. organizationalUnitName = optional
  22. [ certificate_extensions ]
  23. basicConstraints= CA:false
  24. [ req ]
  25. default_bits = 2048
  26. default_keyfile = MyCA/private/cakey.pem
  27. default_md = sha256
  28. prompt = no
  29. distinguished_name = root_ca_distinguished_name
  30. x509_extensions = root_ca_extensions
  31. [ root_ca_distinguished_name ]
  32. commonName = MyCA
  33. stateOrProvinceName = Z1
  34. countryName = Z2
  35. emailAddress = zz@zz.com
  36. organizationName = Z3
  37. [ root_ca_extensions ]
  38. basicConstraints = CA:true
2.1 生成一些目录,后续生成的文件就在这些目录里面了

点击(此处)折叠或打开

  1. #!/bin/sh
  2. local_dir=$PWD
  3. mkdir keystore      <--- 用于存放两个jks文件,最终这两个文件被tomcat访问
  4. mkdir client4curl   <--- 用于存放client的证书文件,这些格式的文件可以给curl进行使用
  5. mkdir client        <--- 用于存放所有的client + server的证书
  6. mkdir MyCA          <--- 用于存放CA(根证书),并且根据请求生成的client/server证书的最初形式也都在这里
  7. cd MyCA
  8. mkdir certs private
  9. chmod g-rwx,o-rwx private
  10. echo "01" > serial
  11. touch index.txt
注意,openssl.cfg就放到跟MyCA同一级的目录下,整体目录如下:
   home |
            | client
            | client4curl
            | keystore
            | MyCA
            | openssl.cnf



2.2  生成CA,这是自认证的

点击(此处)折叠或打开

  1. OPENSSL_CONF="${PWD}/openssl.cnf"
  2. export OPENSSL_CONF
  3. mydir="MyCA/certs"
  4. openssl req -x509 -newkey rsa -out ${mydir}/cacert.pem -outform PEM -days 356 -nodes
  5. echo ""
  6. echo "---check the root ca---"
  7. openssl x509 -in ${mydir}/cacert.pem -text -noout

     根证书生成在

点击(此处)折叠或打开

  1. $ ls MyCA/private/
  2. cakey.pem         <--  私钥
  3. $ ls MyCA/certs/
  4. cacert.pem        <-- 根证书

    openssl x509 -in ${mydir}/cacert.pem -text -noout 的返回结果是:

点击(此处)折叠或打开

  1. Certificate:
  2. Data:
  3. Version: 3 (0x2)
  4. Serial Number: 15835710475854792812 (0xdbc3bec6cf41c86c)
  5. Signature Algorithm: sha256WithRSAEncryption
  6. Issuer: CN=MyCA, ST=Z1, C=Z2/emailAddress=zz@zz.com, O=Z3
  7. Validity
  8. Not Before: Jun 19 06:55:55 2017 GMT
  9. Not After : Jun 10 06:55:55 2018 GMT
  10. Subject: CN=MyCA, ST=Z1, C=Z2/emailAddress=zz@zz.com, O=Z3
  11. Subject Public Key Info:
  12. Public Key Algorithm: rsaEncryption
  13. Public-Key: (2048 bit)
  14. Modulus:
  15. 00:c0:fa:81:0b:8a:e1:49:45:54:85:ad:49:6b:21:
  16. a9:aa:f8:75:f0:ad:31:c5:eb:17:98:aa:57:33:fb:
  17. 73:48:9e:51:55:d2:e6:59:b7:48:b7:46:fd:3f:5b:
  18. 5e:d1:cd:ce:14:d7:fa:c5:0c:29:60:24:b5:43:6a:
  19. 2d:27:26:a3:24:08:df:3d:91:80:be:55:39:fa:72:
  20. 61:34:0d:01:a1:2a:22:80:c1:ad:e5:40:25:4a:79:
  21. a2:00:1c:84:e2:d8:c4:82:6f:80:62:28:4c:04:e8:
  22. b3:8b:8c:c5:f6:93:1f:7b:5e:20:d2:83:61:6d:04:
  23. d0:b3:a1:80:9b:e6:0d:dd:ae:a5:e1:80:81:80:a5:
  24. cd:c4:35:49:c7:92:cd:f4:69:26:17:d0:f6:f4:1c:
  25. b8:7b:ac:61:19:20:4f:97:96:e9:b8:2e:7a:0a:2c:
  26. a2:07:dc:2f:e9:47:bc:6a:6d:c0:9f:ad:d1:a4:73:
  27. ea:cd:46:c1:e2:ad:b2:2a:e5:f5:6b:8b:94:4e:71:
  28. c8:a4:fa:c5:e5:93:91:e2:8a:4b:95:62:85:82:ec:
  29. 8b:64:0b:ea:1b:72:bb:57:b5:6d:68:0b:19:41:f8:
  30. b7:7b:f8:4f:c0:5c:47:85:74:07:f0:39:75:c0:27:
  31. 2b:e9:fc:fa:06:50:f2:99:47:a3:1f:9a:4b:24:6c:
  32. ff:57
  33. Exponent: 65537 (0x10001)
  34. X509v3 extensions:
  35. X509v3 Basic Constraints:
  36. CA:TRUE
  37. Signature Algorithm: sha256WithRSAEncryption
  38. 9a:a3:44:14:c3:76:41:f6:1f:d6:10:5b:01:b4:82:b8:ca:9e:
  39. 15:5a:e3:a9:aa:2c:40:81:65:91:c6:a0:e3:3f:0b:9f:f2:28:
  40. d3:6f:0b:44:59:92:0e:2e:9e:f7:7a:c4:0f:4b:94:1e:24:cb:
  41. f1:87:8a:5e:89:4e:51:a8:c9:bb:23:0e:b2:32:a9:91:27:f5:
  42. 0c:b7:dd:15:b9:1b:e5:d8:51:27:0f:4b:c1:c7:fd:48:5d:e2:
  43. 1b:3f:8d:f0:cd:40:35:c8:0d:14:d9:5f:e4:75:55:48:7c:69:
  44. a2:cb:fe:91:d4:94:9a:06:f6:d4:8f:42:6e:14:45:08:71:cc:
  45. 12:aa:d6:e5:25:37:2c:16:75:e1:34:dc:1d:cf:6e:7b:6a:8d:
  46. ce:fb:b1:c3:19:55:91:af:9e:23:ea:04:51:9f:3d:f7:a1:16:
  47. e2:bf:1f:2f:5d:a7:dd:3a:5d:f7:b1:bb:48:64:a4:37:3a:40:
  48. 5b:bc:67:53:05:22:a1:02:1a:33:8d:08:5d:31:ae:e7:da:2f:
  49. ef:b2:34:2a:19:d8:b3:89:13:82:1f:a1:74:b1:a5:0b:73:e4:
  50. d1:09:6c:d5:61:9e:7c:3e:ab:2c:2c:c3:e1:1b:11:a6:af:a8:
  51. 9f:23:89:ab:91:1c:5d:a0:1b:4d:56:af:8b:82:0c:7b:12:de:
  52. 88:fd:a5:72

2.3 生成client/server证书的请求
注意,这个步骤是不需要openssl.cnf的。正常来讲,这个操作是在CA以外的地方进行的。

点击(此处)折叠或打开

  1. #!/bin/sh
  2. unset OPENSSL_CONF
  3. client_dir="client"
  4. echo "======== start to generate req for cleint ======="
  5. openssl req -newkey rsa:1024 -keyout ${client_dir}/clientkey.pem -keyform PEM -out ${client_dir}/clientreq.csr -outform PEM -nodes -subj /C=c1/ST=c2/L=c3/O=c4/OU=c5/CN=client01/emailAddress=client01@test.com
  6. echo "======== start to generate req for server ======="
  7. openssl req -newkey rsa:1024 -keyout ${client_dir}/serverkey.pem -keyform PEM -out ${client_dir}/serverreq.csr -outform PEM -nodes -subj /C=s1/ST=s2/L=s3/O=s4/OU=s5/CN=server/emailAddress=server@test.com

    结果生成两对文件: (私钥 + 请求) * 2

点击(此处)折叠或打开

  1. $ ls client
  2. clientkey.pem clientreq.csr serverkey.pem serverreq.csr


2.4 根据请求生成client/server证书
这个动作是在CA进行的。正常情况下,需要把上面生成的证书请求发给CA,然后CA做这个动作。
这样生成的两个证书,就都是经过CA认证的了。
这里的04_confirm.txt文件就是2行,每行一个"Y"加一个回车。就是为了提供一个自动确认。

点击(此处)折叠或打开

  1. #!/bin/sh
  2. OPENSSL_CONF="${PWD}/openssl.cnf"
  3. export OPENSSL_CONF
  4. echo "======= start to generate client pem ======="
  5. openssl ca -in client/clientreq.csr < 04_confirm.txt
  6. cp MyCA/certs/01.pem client/client.pem
  7. echo "======= start to generate server pem ======="
  8. openssl ca -in client/serverreq.csr < 04_confirm.txt
  9. cp MyCA/certs/02.pem client/server.pem
会在MyCA/certs/下生成01.pem和02.pem文件,分别是client和server的证书,这个证书是经过CA认证的。
client.pem内容

点击(此处)折叠或打开

  1. $ cat client/client.pem
  2. Certificate:
  3. Data:
  4. Version: 3 (0x2)
  5. Serial Number: 1 (0x1)
  6. Signature Algorithm: sha256WithRSAEncryption
  7. Issuer: CN=MyCA, ST=Z1, C=Z2/emailAddress=zz@zz.com, O=Z3        <--- CA的信息
  8. Validity
  9. Not Before: Jun 19 07:02:14 2017 GMT
  10. Not After : Jun 19 07:02:14 2018 GMT
  11. Subject: CN=client01, ST=c2, C=c1/emailAddress=client01@test.com, O=c4, OU=c5
  12. Subject Public Key Info:
  13. Public Key Algorithm: rsaEncryption
  14. Public-Key: (1024 bit)
  15. Modulus:
  16. 00:b5:61:08:04:ed:93:78:5f:ce:f3:1c:db:2f:78:
  17. d7:a3:09:0b:48:99:ca:8f:ba:ba:65:5b:a7:39:e2:
  18. c2:95:5d:c8:82:ca:51:c1:c3:41:ea:7b:e2:4d:7d:
  19. 59:40:65:02:db:08:e3:01:85:41:ab:a7:a3:d2:06:
  20. 61:af:2f:11:be:5d:41:31:0e:9e:a7:ad:91:7c:2c:
  21. 4c:77:d8:3b:ce:48:ce:de:00:a7:a4:63:a7:d0:c6:
  22. 3a:96:7d:5b:15:40:8f:8b:34:35:ce:4f:f6:e8:93:
  23. c4:11:0e:4a:01:e8:f9:bf:e4:a7:20:79:3e:55:5e:
  24. 5d:23:3f:2b:5c:d4:62:8a:c9
  25. Exponent: 65537 (0x10001)
  26. X509v3 extensions:
  27. X509v3 Basic Constraints:
  28. CA:FALSE
  29. Signature Algorithm: sha256WithRSAEncryption
  30. 86:85:e6:b3:bf:5b:b8:f2:c5:2e:74:11:82:46:49:4e:e0:fa:
  31. a2:33:46:0a:ef:00:83:ac:7e:53:06:9f:6a:3d:e3:a8:f6:aa:
  32. 50:64:2d:d1:5c:c1:55:89:88:a7:e8:44:a8:27:99:90:fe:4d:
  33. fd:5e:be:0a:9d:b6:57:93:93:be:7d:c9:16:2f:d6:f6:4e:e9:
  34. d9:76:de:12:67:c7:d1:b9:26:43:d7:f5:16:a7:83:89:69:eb:
  35. 0f:58:42:14:2f:b7:3c:45:16:95:6a:6d:c7:01:cc:3e:20:e6:
  36. 57:af:06:db:cd:8f:0a:98:2f:1e:a1:1b:bc:9d:6b:eb:e3:a7:
  37. 5c:c4:4d:44:fc:d7:26:af:34:a2:da:79:59:e0:98:b9:88:5c:
  38. 99:2f:75:43:f9:c8:4a:94:fb:03:83:c6:15:df:05:0f:8b:d7:
  39. 7f:52:5e:49:66:ba:b7:78:7d:09:bf:48:aa:9c:92:18:35:a8:
  40. 28:78:26:f3:76:2a:07:89:c2:dd:ae:9f:50:46:e6:a0:01:b5:
  41. dc:d1:a1:f5:5d:e6:a4:3c:55:99:38:d3:ed:6a:83:49:c0:80:
  42. f2:13:93:44:d1:e9:33:99:30:7e:b4:08:47:7d:87:be:ac:67:
  43. f5:54:30:ca:9b:b9:7a:a6:6b:98:30:f1:46:50:16:ba:ce:b8:
  44. 17:ef:cd:53
  45. -----BEGIN CERTIFICATE-----
  46. MIICvTCCAaWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBQMQ0wCwYDVQQDEwRNeUNB
  47. MQswCQYDVQQIEwJaMTELMAkGA1UEBhMCWjIxGDAWBgkqhkiG9w0BCQEWCXp6QHp6
  48. LmNvbTELMAkGA1UEChMCWjMwHhcNMTcwNjE5MDcwMjE0WhcNMTgwNjE5MDcwMjE0
  49. WjBpMREwDwYDVQQDDAhjbGllbnQwMTELMAkGA1UECAwCYzIxCzAJBgNVBAYTAmMx
  50. MSAwHgYJKoZIhvcNAQkBFhFjbGllbnQwMUB0ZXN0LmNvbTELMAkGA1UECgwCYzQx
  51. CzAJBgNVBAsMAmM1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1YQgE7ZN4
  52. X87zHNsveNejCQtImcqPurplW6c54sKVXciCylHBw0Hqe+JNfVlAZQLbCOMBhUGr
  53. p6PSBmGvLxG+XUExDp6nrZF8LEx32DvOSM7eAKekY6fQxjqWfVsVQI+LNDXOT/bo
  54. k8QRDkoB6Pm/5KcgeT5VXl0jPytc1GKKyQIDAQABow0wCzAJBgNVHRMEAjAAMA0G
  55. CSqGSIb3DQEBCwUAA4IBAQCGheazv1u48sUudBGCRklO4PqiM0YK7wCDrH5TBp9q
  56. PeOo9qpQZC3RXMFViYin6ESoJ5mQ/k39Xr4KnbZXk5O+fckWL9b2TunZdt4SZ8fR
  57. uSZD1/UWp4OJaesPWEIUL7c8RRaVam3HAcw+IOZXrwbbzY8KmC8eoRu8nWvr46dc
  58. xE1E/NcmrzSi2nlZ4Ji5iFyZL3VD+chKlPsDg8YV3wUPi9d/Ul5JZrq3eH0Jv0iq
  59. nJIYNagoeCbzdioHicLdrp9QRuagAbXc0aH1XeakPFWZONPtaoNJwIDyE5NE0ekz
  60. mTB+tAhHfYe+rGf1VDDKm7l6pmuYMPFGUBa6zrgX781T
  61. -----END CERTIFICATE-----

2.5 把CA根证书导入trust.jks

点击(此处)折叠或打开

  1. echo "======= import CA as trust.jks ========"
  2. keytool -import -noprompt -file MyCA/certs/cacert.pem -keystore keystore/trust.jks -storepass 123456
查看trust.jks

点击(此处)折叠或打开

  1. $keytool -list -v -keystore keystore/trust.jks -storepass 123456
  2. Keystore type: JKS
  3. Keystore provider: SUN
  4. Your keystore contains 1 entry
  5. Alias name: mykey
  6. Creation date: Jun 19, 2017
  7. Entry type: trustedCertEntry
  8. Owner: O=Z3, EMAILADDRESS=zz@zz.com, C=Z2, ST=Z1, CN=MyCA
  9. Issuer: O=Z3, EMAILADDRESS=zz@zz.com, C=Z2, ST=Z1, CN=MyCA
  10. Serial number: dbc3bec6cf41c86c
  11. Valid from: Mon Jun 19 14:55:55 CST 2017 until: Sun Jun 10 14:55:55 CST 2018
  12. Certificate fingerprints:
  13. MD5: 69:D5:32:62:FB:1D:1F:75:02:28:93:B0:35:34:58:61
  14. SHA1: D6:E9:47:46:CB:BB:2E:2D:3B:E2:91:E2:15:A6:E3:64:0C:F4:B6:42
  15. SHA256: F4:EB:83:FB:BD:9A:A6:B3:DA:1A:F7:1D:B4:DD:20:09:9A:B5:D1:1B:4E:4A:1F:30:39:AC:82:93:6B:2A:17:10
  16. Signature algorithm name: SHA256withRSA
  17. Version: 3
  18. Extensions:
  19. #1: ObjectId: 2.5.29.19 Criticality=false
  20. BasicConstraints:[
  21. CA:true
  22. PathLen:2147483647
  23. ]

2.6 把server证书转换成pkcs12格式,然后导入server.jks

点击(此处)折叠或打开

  1. echo ""
  2. echo "======= export server.pem to server.pkcs12 =========="
  3. openssl pkcs12 -export -in client/server.pem -inkey client/serverkey.pem -out client/server.p12 -passout pass:123456
  4. echo ""
  5. echo "======= import server.pkcs12 to server.jks =========="
  6. keytool -importkeystore -srckeystore client/server.p12 -srcstoretype PKCS12 -srcstorepass 123456 -deststorepass 123456 -destkeystore keystore/server.jks
查看server.jks

点击(此处)折叠或打开

  1. $keytool -list -v -keystore keystore/server.jks -storepass 123456
  2. Keystore type: JKS
  3. Keystore provider: SUN
  4. Your keystore contains 1 entry
  5. Alias name: 1
  6. Creation date: Jun 19, 2017
  7. Entry type: PrivateKeyEntry
  8. Certificate chain length: 1
  9. Certificate[1]:
  10. Owner: OU=s5, O=s4, EMAILADDRESS=server@test.com, C=s1, ST=s2, CN=server
  11. Issuer: O=Z3, EMAILADDRESS=zz@zz.com, C=Z2, ST=Z1, CN=MyCA
  12. Serial number: 2
  13. Valid from: Mon Jun 19 15:02:14 CST 2017 until: Tue Jun 19 15:02:14 CST 2018
  14. Certificate fingerprints:
  15. MD5: D6:36:D9:39:9A:1B:1B:D2:D4:AF:73:0D:74:E2:C0:A9
  16. SHA1: 1E:EC:4D:55:71:AA:2C:A8:65:7C:E6:D2:CB:1C:80:60:41:D7:72:03
  17. SHA256: C1:C2:DF:5A:4E:57:69:7E:DE:7E:95:AC:76:79:A0:6F:5C:AE:45:C7:01:F7:5F:67:4E:F2:DC:4F:73:96:7E:DC
  18. Signature algorithm name: SHA256withRSA
  19. Version: 3
  20. Extensions:
  21. #1: ObjectId: 2.5.29.19 Criticality=false
  22. BasicConstraints:[
  23. CA:false
  24. PathLen: undefined
  25. ]

2.7 把client证书生成curl可用的格式
最终,将会用new.client.all.pem做为curl使用的证书。

点击(此处)折叠或打开

  1. #!/bin/sh
  2. echo "====== export client.pem to pkcs12 format ========="
  3. openssl pkcs12 -export -in client/client.pem -inkey client/clientkey.pem -out client/client.p12 -passout pass:123456
  4. echo ""
  5. echo "====== export client.p12 to new.client.pem (no private key inside) which is used by curl ==========="
  6. openssl pkcs12 -in client/client.p12 -out client4curl/new.client.pem -nodes -passin pass:123456
  7. echo ""
  8. echo "====== export client.p12 to new.client.keypem (only private key) which is used by curl ==========="
  9. openssl pkcs12 -in client/client.p12 -out client4curl/new.client.key.pem -nocerts -nodes -passin pass:123456
  10. echo ""
  11. echo "====== export client.p12 to new.client.all.pem (with private key) which is used by curl ==========="      
  12. openssl pkcs12 -in client/client.p12 -out client4curl/new.client.all.pem -nodes -passin pass:123456
查看new.client.all.pem

点击(此处)折叠或打开

  1. $ cat client4curl/new.client.all.pem

  2. Bag Attributes
  3. localKeyID: 8B EE 4F 8D 23 91 11 A2 49 70 FA 02 E9 39 FF BF 00 E6 0E 41
  4. subject=/CN=client01/ST=c2/C=c1/emailAddress=client01@test.com/O=c4/OU=c5
  5. issuer=/CN=MyCA/ST=Z1/C=Z2/emailAddress=zz@zz.com/O=Z3
  6. -----BEGIN CERTIFICATE-----
  7. MIICvTCCAaWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBQMQ0wCwYDVQQDEwRNeUNB
  8. MQswCQYDVQQIEwJaMTELMAkGA1UEBhMCWjIxGDAWBgkqhkiG9w0BCQEWCXp6QHp6
  9. LmNvbTELMAkGA1UEChMCWjMwHhcNMTcwNjE5MDcwMjE0WhcNMTgwNjE5MDcwMjE0
  10. WjBpMREwDwYDVQQDDAhjbGllbnQwMTELMAkGA1UECAwCYzIxCzAJBgNVBAYTAmMx
  11. MSAwHgYJKoZIhvcNAQkBFhFjbGllbnQwMUB0ZXN0LmNvbTELMAkGA1UECgwCYzQx
  12. CzAJBgNVBAsMAmM1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1YQgE7ZN4
  13. X87zHNsveNejCQtImcqPurplW6c54sKVXciCylHBw0Hqe+JNfVlAZQLbCOMBhUGr
  14. p6PSBmGvLxG+XUExDp6nrZF8LEx32DvOSM7eAKekY6fQxjqWfVsVQI+LNDXOT/bo
  15. k8QRDkoB6Pm/5KcgeT5VXl0jPytc1GKKyQIDAQABow0wCzAJBgNVHRMEAjAAMA0G
  16. CSqGSIb3DQEBCwUAA4IBAQCGheazv1u48sUudBGCRklO4PqiM0YK7wCDrH5TBp9q
  17. PeOo9qpQZC3RXMFViYin6ESoJ5mQ/k39Xr4KnbZXk5O+fckWL9b2TunZdt4SZ8fR
  18. uSZD1/UWp4OJaesPWEIUL7c8RRaVam3HAcw+IOZXrwbbzY8KmC8eoRu8nWvr46dc
  19. xE1E/NcmrzSi2nlZ4Ji5iFyZL3VD+chKlPsDg8YV3wUPi9d/Ul5JZrq3eH0Jv0iq
  20. nJIYNagoeCbzdioHicLdrp9QRuagAbXc0aH1XeakPFWZONPtaoNJwIDyE5NE0ekz
  21. mTB+tAhHfYe+rGf1VDDKm7l6pmuYMPFGUBa6zrgX781T
  22. -----END CERTIFICATE-----
  23. Bag Attributes
  24. localKeyID: 8B EE 4F 8D 23 91 11 A2 49 70 FA 02 E9 39 FF BF 00 E6 0E 41
  25. Key Attributes:
  26. -----BEGIN PRIVATE KEY-----
  27. MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALVhCATtk3hfzvMc
  28. 2y9416MJC0iZyo+6umVbpzniwpVdyILKUcHDQep74k19WUBlAtsI4wGFQauno9IG
  29. Ya8vEb5dQTEOnqetkXwsTHfYO85Izt4Ap6Rjp9DGOpZ9WxVAj4s0Nc5P9uiTxBEO
  30. SgHo+b/kpyB5PlVeXSM/K1zUYorJAgMBAAECgYEAkcYqa8uFenmGGl5WyxCUPrRG
  31. HVN9OYcZx9yhyiQ1v1ZgkL2Kd/A2Sf7HIwBbeyWz5dZ+m/o9jXhucZ4vZFywJLTk
  32. FxAhzKqVPiW9h4gH+RWtdWZpgWJS0oVWpwsHKhVdK9hv23QInmk7ldjwN9SuAKq4
  33. 0ZifwswXYVK61AuLnAECQQDa5x9zFI8+GMnDtNPvGzcFb/OxsWQSDf/6BCV2SqDC
  34. 2i6YL2U7QLy5RkyM1ULPXMMcL0r/mtZ2O87klfIdTxT9AkEA1B36BkRHWEnXIz9k
  35. He6BWFXXPMU4y7+B+5qyfzgDIKrHqeNR42OmyjChQajsLfWI8x1Vi8BKb5+1gpK9
  36. bOP8vQJBAL4/bMfZsHypkoFyoVcH8hPZrpRatbwzSquB+wUJ6xouAZzmZDbRFrR3
  37. coRbvIr39eKC/82SRp3PcQqdfyUV3AkCQAHyzIsmMWmUNA+001ybBkEjeLisLxtg
  38. BPeksiMNBqpUJ0VeOzBViACvdau+u3yolrt094YzG/vugaJTar4HUhkCQDCfsHjE
  39. tG4Fke9ef5aLyyL2NVOTJJKlfk0zMy0AZDkHy21ZqeglDo1WRwNf1htG9RT6TmA6
  40. sS8dalK98fTfJm0=
  41. -----END PRIVATE KEY-----

2.8 配置tomcat

点击(此处)折叠或打开

  1. clientAuth="true" sslProtocol="TLS"
  2. keystoreFile=".../keystore/server.jks" keystorePass="123456"
  3. truststoreFile=".../keystore/trust.jks" truststorePass="123456"
  4. truststoreType="JKS" />

2.9 通过curl访问服务
    这里通过"-k"指定curl不对server证书进行认证。
   这里只携带client证书去访问server。

点击(此处)折叠或打开

  1. curl -verbose -k --cert client4curl/new.client.all.pem
输出的信息

点击(此处)折叠或打开

  1. * About to connect() to localhost port 8443 (#0)
  2. * Trying ::1...
  3. * Connected to localhost (::1) port 8443 (#0)
  4. * Initializing NSS with certpath: sql:/etc/pki/nssdb
  5. * skipping SSL peer certificate verification
  6. * NSS: client certificate from file
  7. * subject: OU=c5,O=c4,E=client01@test.com,C=c1,ST=c2,CN=client01
  8. * start date: Jun 19 06:14:04 2017 GMT
  9. * expire date: Jun 19 06:14:04 2018 GMT
  10. * common name: client01
  11. * issuer: O=Z3,E=zz@zz.com,C=Z2,ST=Z1,CN=MyCA
  12. * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  13. * Server certificate:
  14. * subject: OU=s5,O=s4,E=server@test.com,C=s1,ST=s2,CN=server
  15. * start date: Jun 19 06:14:04 2017 GMT
  16. * expire date: Jun 19 06:14:04 2018 GMT
  17. * common name: server
  18. * issuer: O=Z3,E=zz@zz.com,C=Z2,ST=Z1,CN=MyCA
  19. > GET /bcsgw/v1/admin/info HTTP/1.1
  20. > User-Agent: curl/7.29.0
  21. > Host: localhost:8443
  22. > Accept: */*
  23. > Referer: rbose
  24. >
  25. < HTTP/1.1 200
  26. < Content-Type: application/json
  27. < Content-Length: 61
  28. < Date: Mon, 19 Jun 2017 06:17:30 GMT
  29. <
  30. * Connection #0 to host localhost left intact








阅读(42931) | 评论(1) | 转发(0) |
0

上一篇:JAVA Synchronize

下一篇:GoEclipse

给主人留下些什么吧!~~

arm_zwinger2018-05-18 14:15:52

这个连接对证书相关文件总结的比较清楚:
http://www.cnblogs.com/guogangj/p/4118605.html