Implementing SSL two-way authentication using HttpClient

Reproduced from: http://www.blogjava.net/itvincent/articles/330988.html

1. Generate server-side certificates
Java code
Keytool-genkey-keyalg rsa-dname "CN=LOCALHOST,OU=SANGO,O=NONE,L=CHINA,ST=BEIJING,C=CN"-alias Server-keypass Password-keystore Server.jks-storepass password-validity 3650

Keytool-genkey-keyalg rsa-dname "CN=LOCALHOST,OU=SANGO,O=NONE,L=CHINA,ST=BEIJING,C=CN"-alias Server-keypass Password-keystore Server.jks-storepass password-validity 3650
2. Generate Client Certificates
Java code
Keytool-genkey-keyalg rsa-dname "CN=SANGO,OU=SANGO,O=NONE,L=CHINA,ST=BEIJING,C=CN"-alias custom-storetype PKCS12- Keypass Password-keystore custom.p12-storepass password-validity 3650

Keytool-genkey-keyalg rsa-dname "CN=SANGO,OU=SANGO,O=NONE,L=CHINA,ST=BEIJING,C=CN"-alias custom-storetype PKCS12- Keypass Password-keystore custom.p12-storepass password-validity 3650
The client's CN can be any value.
3, because it is two-way SSL authentication, the server must trust the client certificate, therefore, the client certificate must be added as the server's trust authentication. Since it is not possible to import a PKCS12-formatted certificate library directly, we must first export the client certificate to a separate CER file, using the following command to export the client certificate to a separate CER file:
Java code
Keytool-export-alias custom-file custom.cer-keystore custom.p12-storepass password-storetype PKCS12-RFC

Keytool-export-alias custom-file custom.cer-keystore custom.p12-storepass password-storetype PKCS12-RFC
Then, add the client certificate to the server (import the signed digital certificate into the KeyStore)
Java code
Keytool-import-v-alias custom-file custom.cer-keystore server.jks-storepass Password

Keytool-import-v-alias custom-file custom.cer-keystore server.jks-storepass Password
4, view the contents of the certificate
Java code
Keytool-list-v-keystore server.jks-storepass Password

Keytool-list-v-keystore server.jks-storepass Password
5. Configure Tomcat Service.xml files
XML code
<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "D:/server.jks" keystorepass= "password"
Truststorefile= "D:/server.jks" truststorepass= "password"
/>

<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "D:/server.jks" keystorepass= "password"
Truststorefile= "D:/server.jks" truststorepass= "password"
/>
Clientauth= "True" means two-way authentication
6, import client certificate to Browser
Bi-directional authentication requires mandatory authentication of client certificates. Double-click "CUSTOM.P12" to import certificates into IE

7. Java Code Implementation

Defaulthttpclient httpclient = new Defaulthttpclient ();

KeyStore Truststore = keystore.getinstance (Keystore.getdefaulttype ());
FileInputStream instream = new FileInputStream (New File ("D:/server.jks"));
try {
Truststore.load (instream, "password". ToCharArray ());
finally {
Instream.close ();
}

Sslsocketfactory socketfactory = new Sslsocketfactory (truststore, "password", Truststore);
Scheme sch = new scheme ("https", socketfactory, 443);
Httpclient.getconnectionmanager (). Getschemeregistry (). Register (Sch);

HttpGet httpget = new HttpGet ("https://localhost:8443/");

SYSTEM.OUT.PRINTLN ("Executing request" + httpget.getrequestline ());

HttpResponse response = Httpclient.execute (HttpGet);
httpentity entity = response.getentity ();

System.out.println ("----------------------------------------");
System.out.println (Response.getstatusline ());
if (entity!= null) {
System.out.println ("Response Content Length:" + entity.getcontentlength ());
}
if (entity!= null) {
Entity.consumecontent ();
}
Httpclient.getconnectionmanager (). Shutdown ();