0、中心思想
项目里需要https双向认证,证书的提供就不等别人了,自己卷起袖子生成证书,这样进度会快一些。
其实,对于openssl的使用,我现在也是糊里糊涂,从网上借鉴了一些方法,攒出来这个可行的脚本,跟大家分享一下。
欢迎较真的朋友指点其中的不足,这样,我就又可以提高一点了:)
1、主要内容
首先,生成一个CA,也就是根证书。
然后,生成两个证书请求,将来生成的证书分别是给client和server用的。
接着,通过CA和两个证书请求来生成两个证书(client和server)。也就是说,这两个证书(client + server)都是CA认证的了。
再往下,把CA证书转成trust.jks,把server证书转成server.jks,把这两个jks部署到tomcat里。
最后,通过curl携带client证书访问server,成功!这一步骤也可以通过浏览器来操作。
2、具体操作
2.0 构建一个openssl.cfg文件
这个文件是给CA用的,后面就只有两个步骤需要这个文件: 生成自认证的CA,和根据证书请求进行证书的生成。
-
[ ca ]
-
default_ca = myca
-
-
[ myca ]
-
dir = MyCA
-
certificate = $dir/certs/cacert.pem
-
database = $dir/index.txt
-
new_certs_dir = $dir/certs
-
private_key = $dir/private/cakey.pem
-
serial = $dir/serial
-
-
default_crl_days= 7
-
default_days = 365
-
default_md = sha256
-
-
policy = myca_policy
-
x509_extensions = certificate_extensions
-
-
[ myca_policy ]
-
commonName = supplied
-
stateOrProvinceName = supplied
-
countryName = supplied
-
emailAddress = supplied
-
organizationName= supplied
-
organizationalUnitName = optional
-
-
[ certificate_extensions ]
-
basicConstraints= CA:false
-
[ req ]
-
default_bits = 2048
-
default_keyfile = MyCA/private/cakey.pem
-
default_md = sha256
-
prompt = no
-
distinguished_name = root_ca_distinguished_name
-
x509_extensions = root_ca_extensions
-
-
[ root_ca_distinguished_name ]
-
commonName = MyCA
-
stateOrProvinceName = Z1
-
countryName = Z2
-
emailAddress = zz@zz.com
-
organizationName = Z3
-
-
[ root_ca_extensions ]
-
basicConstraints = CA:true
2.1 生成一些目录,后续生成的文件就在这些目录里面了
-
#!/bin/sh
-
local_dir=$PWD
-
-
mkdir keystore <--- 用于存放两个jks文件,最终这两个文件被tomcat访问
-
mkdir client4curl <--- 用于存放client的证书文件,这些格式的文件可以给curl进行使用
-
mkdir client <--- 用于存放所有的client + server的证书
-
-
mkdir MyCA <--- 用于存放CA(根证书),并且根据请求生成的client/server证书的最初形式也都在这里
-
cd MyCA
-
mkdir certs private
-
chmod g-rwx,o-rwx private
-
echo "01" > serial
-
touch index.txt
注意,openssl.cfg就放到跟MyCA同一级的目录下,整体目录如下:
home |
| client
| client4curl
| keystore
| MyCA
| openssl.cnf
2.2 生成CA,这是自认证的
-
OPENSSL_CONF="${PWD}/openssl.cnf"
-
export OPENSSL_CONF
-
mydir="MyCA/certs"
-
openssl req -x509 -newkey rsa -out ${mydir}/cacert.pem -outform PEM -days 356 -nodes
-
-
echo ""
-
echo "---check the root ca---"
-
openssl x509 -in ${mydir}/cacert.pem -text -noout
根证书生成在
-
$ ls MyCA/private/
-
cakey.pem <-- 私钥
-
$ ls MyCA/certs/
-
cacert.pem <-- 根证书
openssl x509 -in ${mydir}/cacert.pem -text -noout 的返回结果是:
-
Certificate:
-
Data:
-
Version: 3 (0x2)
-
Serial Number: 15835710475854792812 (0xdbc3bec6cf41c86c)
-
Signature Algorithm: sha256WithRSAEncryption
-
Issuer: CN=MyCA, ST=Z1, C=Z2/emailAddress=zz@zz.com, O=Z3
-
Validity
-
Not Before: Jun 19 06:55:55 2017 GMT
-
Not After : Jun 10 06:55:55 2018 GMT
-
Subject: CN=MyCA, ST=Z1, C=Z2/emailAddress=zz@zz.com, O=Z3
-
Subject Public Key Info:
-
Public Key Algorithm: rsaEncryption
-
Public-Key: (2048 bit)
-
Modulus:
-
00:c0:fa:81:0b:8a:e1:49:45:54:85:ad:49:6b:21:
-
a9:aa:f8:75:f0:ad:31:c5:eb:17:98:aa:57:33:fb:
-
73:48:9e:51:55:d2:e6:59:b7:48:b7:46:fd:3f:5b:
-
5e:d1:cd:ce:14:d7:fa:c5:0c:29:60:24:b5:43:6a:
-
2d:27:26:a3:24:08:df:3d:91:80:be:55:39:fa:72:
-
61:34:0d:01:a1:2a:22:80:c1:ad:e5:40:25:4a:79:
-
a2:00:1c:84:e2:d8:c4:82:6f:80:62:28:4c:04:e8:
-
b3:8b:8c:c5:f6:93:1f:7b:5e:20:d2:83:61:6d:04:
-
d0:b3:a1:80:9b:e6:0d:dd:ae:a5:e1:80:81:80:a5:
-
cd:c4:35:49:c7:92:cd:f4:69:26:17:d0:f6:f4:1c:
-
b8:7b:ac:61:19:20:4f:97:96:e9:b8:2e:7a:0a:2c:
-
a2:07:dc:2f:e9:47:bc:6a:6d:c0:9f:ad:d1:a4:73:
-
ea:cd:46:c1:e2:ad:b2:2a:e5:f5:6b:8b:94:4e:71:
-
c8:a4:fa:c5:e5:93:91:e2:8a:4b:95:62:85:82:ec:
-
8b:64:0b:ea:1b:72:bb:57:b5:6d:68:0b:19:41:f8:
-
b7:7b:f8:4f:c0:5c:47:85:74:07:f0:39:75:c0:27:
-
2b:e9:fc:fa:06:50:f2:99:47:a3:1f:9a:4b:24:6c:
-
ff:57
-
Exponent: 65537 (0x10001)
-
X509v3 extensions:
-
X509v3 Basic Constraints:
-
CA:TRUE
-
Signature Algorithm: sha256WithRSAEncryption
-
9a:a3:44:14:c3:76:41:f6:1f:d6:10:5b:01:b4:82:b8:ca:9e:
-
15:5a:e3:a9:aa:2c:40:81:65:91:c6:a0:e3:3f:0b:9f:f2:28:
-
d3:6f:0b:44:59:92:0e:2e:9e:f7:7a:c4:0f:4b:94:1e:24:cb:
-
f1:87:8a:5e:89:4e:51:a8:c9:bb:23:0e:b2:32:a9:91:27:f5:
-
0c:b7:dd:15:b9:1b:e5:d8:51:27:0f:4b:c1:c7:fd:48:5d:e2:
-
1b:3f:8d:f0:cd:40:35:c8:0d:14:d9:5f:e4:75:55:48:7c:69:
-
a2:cb:fe:91:d4:94:9a:06:f6:d4:8f:42:6e:14:45:08:71:cc:
-
12:aa:d6:e5:25:37:2c:16:75:e1:34:dc:1d:cf:6e:7b:6a:8d:
-
ce:fb:b1:c3:19:55:91:af:9e:23:ea:04:51:9f:3d:f7:a1:16:
-
e2:bf:1f:2f:5d:a7:dd:3a:5d:f7:b1:bb:48:64:a4:37:3a:40:
-
5b:bc:67:53:05:22:a1:02:1a:33:8d:08:5d:31:ae:e7:da:2f:
-
ef:b2:34:2a:19:d8:b3:89:13:82:1f:a1:74:b1:a5:0b:73:e4:
-
d1:09:6c:d5:61:9e:7c:3e:ab:2c:2c:c3:e1:1b:11:a6:af:a8:
-
9f:23:89:ab:91:1c:5d:a0:1b:4d:56:af:8b:82:0c:7b:12:de:
-
88:fd:a5:72
2.3 生成client/server证书的请求
注意,这个步骤是不需要openssl.cnf的。正常来讲,这个操作是在CA以外的地方进行的。
-
#!/bin/sh
-
-
unset OPENSSL_CONF
-
client_dir="client"
-
echo "======== start to generate req for cleint ======="
-
openssl req -newkey rsa:1024 -keyout ${client_dir}/clientkey.pem -keyform PEM -out ${client_dir}/clientreq.csr -outform PEM -nodes -subj /C=c1/ST=c2/L=c3/O=c4/OU=c5/CN=client01/emailAddress=client01@test.com
-
-
echo "======== start to generate req for server ======="
-
openssl req -newkey rsa:1024 -keyout ${client_dir}/serverkey.pem -keyform PEM -out ${client_dir}/serverreq.csr -outform PEM -nodes -subj /C=s1/ST=s2/L=s3/O=s4/OU=s5/CN=server/emailAddress=server@test.com
结果生成两对文件: (私钥 + 请求) * 2
-
$ ls client
-
clientkey.pem clientreq.csr serverkey.pem serverreq.csr
2.4 根据请求生成client/server证书
这个动作是在CA进行的。正常情况下,需要把上面生成的证书请求发给CA,然后CA做这个动作。
这样生成的两个证书,就都是经过CA认证的了。
这里的04_confirm.txt文件就是2行,每行一个"Y"加一个回车。就是为了提供一个自动确认。
-
#!/bin/sh
-
-
OPENSSL_CONF="${PWD}/openssl.cnf"
-
export OPENSSL_CONF
-
-
echo "======= start to generate client pem ======="
-
openssl ca -in client/clientreq.csr < 04_confirm.txt
-
cp MyCA/certs/01.pem client/client.pem
-
-
echo "======= start to generate server pem ======="
-
openssl ca -in client/serverreq.csr < 04_confirm.txt
-
cp MyCA/certs/02.pem client/server.pem
会在MyCA/certs/下生成01.pem和02.pem文件,分别是client和server的证书,这个证书是经过CA认证的。
client.pem内容
-
$ cat client/client.pem
-
Certificate:
-
Data:
-
Version: 3 (0x2)
-
Serial Number: 1 (0x1)
-
Signature Algorithm: sha256WithRSAEncryption
-
Issuer: CN=MyCA, ST=Z1, C=Z2/emailAddress=zz@zz.com, O=Z3 <--- CA的信息
-
Validity
-
Not Before: Jun 19 07:02:14 2017 GMT
-
Not After : Jun 19 07:02:14 2018 GMT
-
Subject: CN=client01, ST=c2, C=c1/emailAddress=client01@test.com, O=c4, OU=c5
-
Subject Public Key Info:
-
Public Key Algorithm: rsaEncryption
-
Public-Key: (1024 bit)
-
Modulus:
-
00:b5:61:08:04:ed:93:78:5f:ce:f3:1c:db:2f:78:
-
d7:a3:09:0b:48:99:ca:8f:ba:ba:65:5b:a7:39:e2:
-
c2:95:5d:c8:82:ca:51:c1:c3:41:ea:7b:e2:4d:7d:
-
59:40:65:02:db:08:e3:01:85:41:ab:a7:a3:d2:06:
-
61:af:2f:11:be:5d:41:31:0e:9e:a7:ad:91:7c:2c:
-
4c:77:d8:3b:ce:48:ce:de:00:a7:a4:63:a7:d0:c6:
-
3a:96:7d:5b:15:40:8f:8b:34:35:ce:4f:f6:e8:93:
-
c4:11:0e:4a:01:e8:f9:bf:e4:a7:20:79:3e:55:5e:
-
5d:23:3f:2b:5c:d4:62:8a:c9
-
Exponent: 65537 (0x10001)
-
X509v3 extensions:
-
X509v3 Basic Constraints:
-
CA:FALSE
-
Signature Algorithm: sha256WithRSAEncryption
-
86:85:e6:b3:bf:5b:b8:f2:c5:2e:74:11:82:46:49:4e:e0:fa:
-
a2:33:46:0a:ef:00:83:ac:7e:53:06:9f:6a:3d:e3:a8:f6:aa:
-
50:64:2d:d1:5c:c1:55:89:88:a7:e8:44:a8:27:99:90:fe:4d:
-
fd:5e:be:0a:9d:b6:57:93:93:be:7d:c9:16:2f:d6:f6:4e:e9:
-
d9:76:de:12:67:c7:d1:b9:26:43:d7:f5:16:a7:83:89:69:eb:
-
0f:58:42:14:2f:b7:3c:45:16:95:6a:6d:c7:01:cc:3e:20:e6:
-
57:af:06:db:cd:8f:0a:98:2f:1e:a1:1b:bc:9d:6b:eb:e3:a7:
-
5c:c4:4d:44:fc:d7:26:af:34:a2:da:79:59:e0:98:b9:88:5c:
-
99:2f:75:43:f9:c8:4a:94:fb:03:83:c6:15:df:05:0f:8b:d7:
-
7f:52:5e:49:66:ba:b7:78:7d:09:bf:48:aa:9c:92:18:35:a8:
-
28:78:26:f3:76:2a:07:89:c2:dd:ae:9f:50:46:e6:a0:01:b5:
-
dc:d1:a1:f5:5d:e6:a4:3c:55:99:38:d3:ed:6a:83:49:c0:80:
-
f2:13:93:44:d1:e9:33:99:30:7e:b4:08:47:7d:87:be:ac:67:
-
f5:54:30:ca:9b:b9:7a:a6:6b:98:30:f1:46:50:16:ba:ce:b8:
-
17:ef:cd:53
-
-----BEGIN CERTIFICATE-----
-
MIICvTCCAaWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBQMQ0wCwYDVQQDEwRNeUNB
-
MQswCQYDVQQIEwJaMTELMAkGA1UEBhMCWjIxGDAWBgkqhkiG9w0BCQEWCXp6QHp6
-
LmNvbTELMAkGA1UEChMCWjMwHhcNMTcwNjE5MDcwMjE0WhcNMTgwNjE5MDcwMjE0
-
WjBpMREwDwYDVQQDDAhjbGllbnQwMTELMAkGA1UECAwCYzIxCzAJBgNVBAYTAmMx
-
MSAwHgYJKoZIhvcNAQkBFhFjbGllbnQwMUB0ZXN0LmNvbTELMAkGA1UECgwCYzQx
-
CzAJBgNVBAsMAmM1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1YQgE7ZN4
-
X87zHNsveNejCQtImcqPurplW6c54sKVXciCylHBw0Hqe+JNfVlAZQLbCOMBhUGr
-
p6PSBmGvLxG+XUExDp6nrZF8LEx32DvOSM7eAKekY6fQxjqWfVsVQI+LNDXOT/bo
-
k8QRDkoB6Pm/5KcgeT5VXl0jPytc1GKKyQIDAQABow0wCzAJBgNVHRMEAjAAMA0G
-
CSqGSIb3DQEBCwUAA4IBAQCGheazv1u48sUudBGCRklO4PqiM0YK7wCDrH5TBp9q
-
PeOo9qpQZC3RXMFViYin6ESoJ5mQ/k39Xr4KnbZXk5O+fckWL9b2TunZdt4SZ8fR
-
uSZD1/UWp4OJaesPWEIUL7c8RRaVam3HAcw+IOZXrwbbzY8KmC8eoRu8nWvr46dc
-
xE1E/NcmrzSi2nlZ4Ji5iFyZL3VD+chKlPsDg8YV3wUPi9d/Ul5JZrq3eH0Jv0iq
-
nJIYNagoeCbzdioHicLdrp9QRuagAbXc0aH1XeakPFWZONPtaoNJwIDyE5NE0ekz
-
mTB+tAhHfYe+rGf1VDDKm7l6pmuYMPFGUBa6zrgX781T
-
-----END CERTIFICATE-----
2.5 把CA根证书导入trust.jks
-
echo "======= import CA as trust.jks ========"
-
keytool -import -noprompt -file MyCA/certs/cacert.pem -keystore keystore/trust.jks -storepass 123456
查看trust.jks
-
$keytool -list -v -keystore keystore/trust.jks -storepass 123456
-
-
Keystore type: JKS
-
Keystore provider: SUN
-
-
Your keystore contains 1 entry
-
-
Alias name: mykey
-
Creation date: Jun 19, 2017
-
Entry type: trustedCertEntry
-
-
Owner: O=Z3, EMAILADDRESS=zz@zz.com, C=Z2, ST=Z1, CN=MyCA
-
Issuer: O=Z3, EMAILADDRESS=zz@zz.com, C=Z2, ST=Z1, CN=MyCA
-
Serial number: dbc3bec6cf41c86c
-
Valid from: Mon Jun 19 14:55:55 CST 2017 until: Sun Jun 10 14:55:55 CST 2018
-
Certificate fingerprints:
-
MD5: 69:D5:32:62:FB:1D:1F:75:02:28:93:B0:35:34:58:61
-
SHA1: D6:E9:47:46:CB:BB:2E:2D:3B:E2:91:E2:15:A6:E3:64:0C:F4:B6:42
-
SHA256: F4:EB:83:FB:BD:9A:A6:B3:DA:1A:F7:1D:B4:DD:20:09:9A:B5:D1:1B:4E:4A:1F:30:39:AC:82:93:6B:2A:17:10
-
Signature algorithm name: SHA256withRSA
-
Version: 3
-
-
Extensions:
-
-
#1: ObjectId: 2.5.29.19 Criticality=false
-
BasicConstraints:[
-
CA:true
-
PathLen:2147483647
-
]
2.6 把server证书转换成pkcs12格式,然后导入server.jks
-
echo ""
-
echo "======= export server.pem to server.pkcs12 =========="
-
openssl pkcs12 -export -in client/server.pem -inkey client/serverkey.pem -out client/server.p12 -passout pass:123456
-
-
echo ""
-
echo "======= import server.pkcs12 to server.jks =========="
-
keytool -importkeystore -srckeystore client/server.p12 -srcstoretype PKCS12 -srcstorepass 123456 -deststorepass 123456 -destkeystore keystore/server.jks
查看server.jks
-
$keytool -list -v -keystore keystore/server.jks -storepass 123456
-
-
Keystore type: JKS
-
Keystore provider: SUN
-
-
Your keystore contains 1 entry
-
-
Alias name: 1
-
Creation date: Jun 19, 2017
-
Entry type: PrivateKeyEntry
-
Certificate chain length: 1
-
Certificate[1]:
-
Owner: OU=s5, O=s4, EMAILADDRESS=server@test.com, C=s1, ST=s2, CN=server
-
Issuer: O=Z3, EMAILADDRESS=zz@zz.com, C=Z2, ST=Z1, CN=MyCA
-
Serial number: 2
-
Valid from: Mon Jun 19 15:02:14 CST 2017 until: Tue Jun 19 15:02:14 CST 2018
-
Certificate fingerprints:
-
MD5: D6:36:D9:39:9A:1B:1B:D2:D4:AF:73:0D:74:E2:C0:A9
-
SHA1: 1E:EC:4D:55:71:AA:2C:A8:65:7C:E6:D2:CB:1C:80:60:41:D7:72:03
-
SHA256: C1:C2:DF:5A:4E:57:69:7E:DE:7E:95:AC:76:79:A0:6F:5C:AE:45:C7:01:F7:5F:67:4E:F2:DC:4F:73:96:7E:DC
-
Signature algorithm name: SHA256withRSA
-
Version: 3
-
-
Extensions:
-
-
#1: ObjectId: 2.5.29.19 Criticality=false
-
BasicConstraints:[
-
CA:false
-
PathLen: undefined
-
]
2.7 把client证书生成curl可用的格式
最终,将会用new.client.all.pem做为curl使用的证书。
-
#!/bin/sh
-
-
echo "====== export client.pem to pkcs12 format ========="
-
openssl pkcs12 -export -in client/client.pem -inkey client/clientkey.pem -out client/client.p12 -passout pass:123456
-
-
echo ""
-
echo "====== export client.p12 to new.client.pem (no private key inside) which is used by curl ==========="
-
openssl pkcs12 -in client/client.p12 -out client4curl/new.client.pem -nodes -passin pass:123456
-
echo ""
-
echo "====== export client.p12 to new.client.keypem (only private key) which is used by curl ==========="
-
openssl pkcs12 -in client/client.p12 -out client4curl/new.client.key.pem -nocerts -nodes -passin pass:123456
-
echo ""
-
echo "====== export client.p12 to new.client.all.pem (with private key) which is used by curl ==========="
-
openssl pkcs12 -in client/client.p12 -out client4curl/new.client.all.pem -nodes -passin pass:123456
查看new.client.all.pem
-
$ cat client4curl/new.client.all.pem
-
-
Bag Attributes
-
localKeyID: 8B EE 4F 8D 23 91 11 A2 49 70 FA 02 E9 39 FF BF 00 E6 0E 41
-
subject=/CN=client01/ST=c2/C=c1/emailAddress=client01@test.com/O=c4/OU=c5
-
issuer=/CN=MyCA/ST=Z1/C=Z2/emailAddress=zz@zz.com/O=Z3
-
-----BEGIN CERTIFICATE-----
-
MIICvTCCAaWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBQMQ0wCwYDVQQDEwRNeUNB
-
MQswCQYDVQQIEwJaMTELMAkGA1UEBhMCWjIxGDAWBgkqhkiG9w0BCQEWCXp6QHp6
-
LmNvbTELMAkGA1UEChMCWjMwHhcNMTcwNjE5MDcwMjE0WhcNMTgwNjE5MDcwMjE0
-
WjBpMREwDwYDVQQDDAhjbGllbnQwMTELMAkGA1UECAwCYzIxCzAJBgNVBAYTAmMx
-
MSAwHgYJKoZIhvcNAQkBFhFjbGllbnQwMUB0ZXN0LmNvbTELMAkGA1UECgwCYzQx
-
CzAJBgNVBAsMAmM1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1YQgE7ZN4
-
X87zHNsveNejCQtImcqPurplW6c54sKVXciCylHBw0Hqe+JNfVlAZQLbCOMBhUGr
-
p6PSBmGvLxG+XUExDp6nrZF8LEx32DvOSM7eAKekY6fQxjqWfVsVQI+LNDXOT/bo
-
k8QRDkoB6Pm/5KcgeT5VXl0jPytc1GKKyQIDAQABow0wCzAJBgNVHRMEAjAAMA0G
-
CSqGSIb3DQEBCwUAA4IBAQCGheazv1u48sUudBGCRklO4PqiM0YK7wCDrH5TBp9q
-
PeOo9qpQZC3RXMFViYin6ESoJ5mQ/k39Xr4KnbZXk5O+fckWL9b2TunZdt4SZ8fR
-
uSZD1/UWp4OJaesPWEIUL7c8RRaVam3HAcw+IOZXrwbbzY8KmC8eoRu8nWvr46dc
-
xE1E/NcmrzSi2nlZ4Ji5iFyZL3VD+chKlPsDg8YV3wUPi9d/Ul5JZrq3eH0Jv0iq
-
nJIYNagoeCbzdioHicLdrp9QRuagAbXc0aH1XeakPFWZONPtaoNJwIDyE5NE0ekz
-
mTB+tAhHfYe+rGf1VDDKm7l6pmuYMPFGUBa6zrgX781T
-
-----END CERTIFICATE-----
-
Bag Attributes
-
localKeyID: 8B EE 4F 8D 23 91 11 A2 49 70 FA 02 E9 39 FF BF 00 E6 0E 41
-
Key Attributes:
-
-----BEGIN PRIVATE KEY-----
-
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALVhCATtk3hfzvMc
-
2y9416MJC0iZyo+6umVbpzniwpVdyILKUcHDQep74k19WUBlAtsI4wGFQauno9IG
-
Ya8vEb5dQTEOnqetkXwsTHfYO85Izt4Ap6Rjp9DGOpZ9WxVAj4s0Nc5P9uiTxBEO
-
SgHo+b/kpyB5PlVeXSM/K1zUYorJAgMBAAECgYEAkcYqa8uFenmGGl5WyxCUPrRG
-
HVN9OYcZx9yhyiQ1v1ZgkL2Kd/A2Sf7HIwBbeyWz5dZ+m/o9jXhucZ4vZFywJLTk
-
FxAhzKqVPiW9h4gH+RWtdWZpgWJS0oVWpwsHKhVdK9hv23QInmk7ldjwN9SuAKq4
-
0ZifwswXYVK61AuLnAECQQDa5x9zFI8+GMnDtNPvGzcFb/OxsWQSDf/6BCV2SqDC
-
2i6YL2U7QLy5RkyM1ULPXMMcL0r/mtZ2O87klfIdTxT9AkEA1B36BkRHWEnXIz9k
-
He6BWFXXPMU4y7+B+5qyfzgDIKrHqeNR42OmyjChQajsLfWI8x1Vi8BKb5+1gpK9
-
bOP8vQJBAL4/bMfZsHypkoFyoVcH8hPZrpRatbwzSquB+wUJ6xouAZzmZDbRFrR3
-
coRbvIr39eKC/82SRp3PcQqdfyUV3AkCQAHyzIsmMWmUNA+001ybBkEjeLisLxtg
-
BPeksiMNBqpUJ0VeOzBViACvdau+u3yolrt094YzG/vugaJTar4HUhkCQDCfsHjE
-
tG4Fke9ef5aLyyL2NVOTJJKlfk0zMy0AZDkHy21ZqeglDo1WRwNf1htG9RT6TmA6
-
sS8dalK98fTfJm0=
-
-----END PRIVATE KEY-----
2.8 配置tomcat
-
-
clientAuth="true" sslProtocol="TLS"
-
keystoreFile=".../keystore/server.jks" keystorePass="123456"
-
truststoreFile=".../keystore/trust.jks" truststorePass="123456"
-
truststoreType="JKS" />
2.9 通过curl访问服务
这里通过"-k"指定curl不对server证书进行认证。
这里只携带client证书去访问server。
-
curl -verbose -k --cert client4curl/new.client.all.pem
输出的信息
-
* About to connect() to localhost port 8443 (#0)
-
* Trying ::1...
-
* Connected to localhost (::1) port 8443 (#0)
-
* Initializing NSS with certpath: sql:/etc/pki/nssdb
-
* skipping SSL peer certificate verification
-
* NSS: client certificate from file
-
* subject: OU=c5,O=c4,E=client01@test.com,C=c1,ST=c2,CN=client01
-
* start date: Jun 19 06:14:04 2017 GMT
-
* expire date: Jun 19 06:14:04 2018 GMT
-
* common name: client01
-
* issuer: O=Z3,E=zz@zz.com,C=Z2,ST=Z1,CN=MyCA
-
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
* Server certificate:
-
* subject: OU=s5,O=s4,E=server@test.com,C=s1,ST=s2,CN=server
-
* start date: Jun 19 06:14:04 2017 GMT
-
* expire date: Jun 19 06:14:04 2018 GMT
-
* common name: server
-
* issuer: O=Z3,E=zz@zz.com,C=Z2,ST=Z1,CN=MyCA
-
> GET /bcsgw/v1/admin/info HTTP/1.1
-
> User-Agent: curl/7.29.0
-
> Host: localhost:8443
-
> Accept: */*
-
> Referer: rbose
-
>
-
< HTTP/1.1 200
-
< Content-Type: application/json
-
< Content-Length: 61
-
< Date: Mon, 19 Jun 2017 06:17:30 GMT
-
<
-
* Connection #0 to host localhost left intact
阅读(42931) | 评论(1) | 转发(0) |