Chinaunix首页 | 论坛 | 博客
  • 博客访问: 6658612
  • 博文数量: 915
  • 博客积分: 17977
  • 博客等级: 上将
  • 技术积分: 8846
  • 用 户 组: 普通用户
  • 注册时间: 2005-08-26 09:59
个人简介

一个好老好老的老程序员了。

文章分类

全部博文(915)

文章存档

2022年(9)

2021年(13)

2020年(10)

2019年(40)

2018年(88)

2017年(130)

2015年(5)

2014年(12)

2013年(41)

2012年(36)

2011年(272)

2010年(1)

2009年(53)

2008年(65)

2007年(47)

2006年(81)

2005年(12)

分类: 系统运维

2011-06-13 22:18:43

这几天弄tomcat的ssl双向设置,网上找到了一篇关于tomcat5。5在xp下的设置文档,按照上面的操作了一遍,然后部署,发现不行,在 tomcat5.5里报无法识别的keystore文件类型,操作过程如下:

1. 下载OpenSSL for Win32

Win32 OpenSSL v0.9.8k:
Visual C++ 2008 Redistributables:

2. 建立工作目录

f:\ssl\ca\
f:\ssl\server\
f:\ssl\client\
f:\ssl\keystore\

3. 建立自己的CA

建立一张证书需要三步, 1是生成系统私钥, 2生成待签名证书, 3是生成x509证书, 用CA私钥进行自签名.

3.1 生成CA私钥

F:\ssl>openssl genrsa -out ca/ca-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...........++++++
.........................++++++
e is 65537 (0x10001)

注解:
genrsa: 生成CA私钥
-out: 生成的私钥的保存路径和名字
1024: 密钥位数

3.2 生成待签名证书

F:\ssl>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:SG
Locality Name (eg, city) []:SG
Organization Name (eg, company) [Internet Widgits Pty Ltd]:logicgate
Organizational Unit Name (eg, section) []:development
Common Name (eg, YOUR name) []:logicgate
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

注 解:
csr: certificate signing request
req: 生成待签名证书的选项

-key: 采用的CA私钥的路径, 这里使用的是3.1中产生的私钥

3.3 用CA私钥进行自签名

F:\ssl>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=SG/ST=SG/L=SG/O=logicgate/OU=development/CN=logicgate
Getting Private key

注解:
x509: 生成x509的CA根证书
-in: 待签名证书的路径
-out: 生成的CA根证书的路径
-signkey: 采用签名的私钥的路径
-days: 有效时间(天)

3.4 将证书导出成浏览器支持的.p12格式

F:\ssl>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
Loading 'screen' into random state - done
Enter Export Password:password
Verifying - Enter Export Password:password

 

注解:

这 里设定的密码在客户端导入的时候将会被用到


4. 生成server证 书

4.1 生成私钥

F:\ssl>openssl genrsa -out server/server-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)

4.2 生成待签名证书

F:\ssl>openssl req -new -out server/server-req.csr -key server/server-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:SG
Locality Name (eg, city) []:SG
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tomcat
Organizational Unit Name (eg, section) []:ssl
Common Name (eg, YOUR name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

注解:

Common Name需要放服务器的ip地址, 本机测试可以用localhost


4.3 用私钥进行自签名

F:\ssl>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=SG/ST=SG/L=SG/O=tomcat/OU=ssl/CN=localhost
Getting Private key
Getting CA Private Key

4.4 将证书导出成浏览器支持的.p12格式

F:\ssl>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
Loading 'screen' into random state - done
Enter Export Password:serverpassword
Verifying - Enter Export Password:serverpassword

5. 生成client证书

5.1 生成私钥

F:\ssl>openssl genrsa -out client/client-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..++++++
....................++++++
e is 65537 (0x10001)

5.2 生成待签名证书

F:\ssl>openssl req -new -out client/client-req.csr -key client/client-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:CN
Locality Name (eg, city) []:CN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IE
Organizational Unit Name (eg, section) []:IE
Common Name (eg, YOUR name) []:client
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

5.3 用私钥进行自签名

F:\ssl>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=CN/L=CN/O=IE/OU=IE/CN=client
Getting Private key
Getting CA Private Key

5.4 将证书导出成浏览器支持的.p12格式

F:\ssl>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
Loading 'screen' into random state - done
Enter Export Password:clientpassword
Verifying - Enter Export Password:clientpassword

6. 根据ca证书生成keystore

F:\ssl>keytool -keystore truststore/truststore.jks -keypass keypass-storepass storepass-alias my_ca -import -trustcacerts -file ca\ca-cert.pem
Owner: CN=logicgate, U=development, O=logicgate, L=SG, ST=SG, C=SG
Issuer: CN=logicgate, U=development, O=logicgate, L=SG, ST=SG, C=SG
Serial number: 855006f7772b4487
Valid from: Mon Oct 05 13:30:09 SGT 2009 until: Thu Oct 03 13:30:09 SGT 2019
Certificate fingerprints:
         MD5:  08:22:2A:6B:63:13:86:3A:81:FF:33:6A:14:B6:4E:27
         SHA1: FB:97:E6:1C:A8:BB:8E:11:48:36:C1:33:D9:7F:03:7F:13:34:94:17
Trust this certificate? [no]:  y
Certificate was added to keystore

注 解:
jsse默认的keystore位于%JAVA_HOME%/jre/security/cacerts, 这里我们产生的是自己的keystore, 位于F:\ssl\truststore目录下. 然后把根证书以my_ca的名字导入到keystore中。如果truststore.jks已经存在名为my_ca的证书, 那么会报错: keytool error: java.lang.Exception: Certificate not imported, alias already exists. 解决办法之一,是将原文件删除即可, 但那样之前导入的信任的CA根证书的配置就都没了, 令一个办法是取一个不同与其他导入的根证书的别名, 也就是-alias后面写个不同的名字.

7. 查看keystore中包含的证书

F:\ssl>keytool -list -v -keystore truststore/truststore.jks
Enter keystore password:  storepass

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: my_ca
Creation date: Oct 5, 2009
Entry type: trustedCertEntry

Owner: CN=logicgate, U=development, O=logicgate, L=SG, ST=SG, C=SG
Issuer: CN=logicgate, U=development, O=logicgate, L=SG, ST=SG, C=SG
Serial number: 855006f7772b4487
Valid from: Mon Oct 05 13:30:09 SGT 2009 until: Thu Oct 03 13:30:09 SGT 2019
Certificate fingerprints:
    MD5:  08:22:2A:6B:63:13:86:3A:81:FF:33:6A:14:B6:4E:27
    SHA1: FB:97:E6:1C:A8:BB:8E:11:48:36:C1:33:D9:7F:03:7F:13:34:94:17

8. 配置tomcat


    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    keystoreFile="F:\ssl\server\server.p12" keystoreType="PKCS12" keystorePass="serverpassword"
    truststoreFile="F:\ssl\truststore\truststore.jks"truststorePass="storepass"truststoreType="JKS"
    clientAuth="true" sslProtocol="TLS"
/>

9. 客户端导入证书

IE -> Tools -> Internet Options -> Content -> Certificates
将 ca.p12导入Trusted Root Certification Authorities, client.p12导入Personal

10. 验证配置

访问

 

最 后很奇怪为什么tomcat不识别openssl命令产生的keystore文件呢?难道一定要tomcat对应的JDK生成的keystore才行?试 了下果然就识别了,不过还得把openssl生成的签名证书导入keystore才行,命令如下:

keytool -import -v -file ca/ca-cert.pem -keystore c:\server.keystore -storepass changeit

 

启 动tomcat搞定。

阅读(1255) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~