SSL/TLS two-way authentication case reference

I. First, we need to generate a digital certificate for the server and client and add Trust

In the actual application environment, you need to apply for a server certificate from the CA. Here we use the keytool tool to generate a self-signed certificate for testing convenience.

Note: Use keytool-help for parameter description.

 

1. Generate a server certificate

Keytool-genkey-v-keyalg RSA-keysize 1024-sigalg sha1withrsa-validity 36000-alias www.alan.org-keystore Alan. keystore-keystore Alan. keystore-dname "cn = www.alan.org, ou = Alan, O = Alan, L = HN, St = HN, c = cn"

2. Generate client certificate

Keytool-genkey-v-keyalg RSA-keysize 1024-sigalg sha1withrsa-validity 36000-alias alanclient-storetype PKCS12-keystore alanclient. p12-dname "cn = Alan-client, ou = Alan, O = Alan, L = HN, St = HN, c = cn"

3. Let the server trust the client certificate

(1) Export the client certificate from the client certificate library just generated

Keytool-export-alias alanclient-keystore alanclient. p12-storetype PKCS12-RFC-file alanclient. Cer

(2) import the client certificate to the server certificate library as a trust certificate

Keytool-import-v-file alanclient. cer-keystore Alan. keystore

4. Import the client certificate to the IE certificate library

Double-click to execute the alanclient. p12 file to import the certificate to the "personal" certificate library.

 

Note: in actual application, if the client uses an electronic key, use the corresponding electronic key driver to register the digital certificate in the key to the IE certificate library.

 

 

2. Configure the Web server (take the Tomcat server as an example)

 

Configure two-way authentication in the Tomcat server. xml file. The configuration code is as follows:

<Connector

Port = "443"

Protocol = "HTTP/1.1"

Sslenabled = "true"

Maxthreads = "150"

Scheme = "HTTPS"

Secure = "true"

Clientauth = "true"

Sslprotocol = "TLS"

Keystorefile = "CONF/Alan. keystore"

Keystorepass = "changeit"

Truststorefile = "CONF/Alan. keystore"

Truststorepass = "changeit"/>

Note: If the keystore file uses the PKCS12 format, you must specify keystoretype = "PKCS12"

 

Iii. server-side code reference (using Java as an example)

Add a filter to filter the request and obtain the value of the attribute "javax. servlet. Request. x509certificate:

Import Java. io. ioexception; import Java. security. cert. certificateexpiredexception; import Java. security. cert. certificatenotyetvalidexception; import Java. security. cert. x509certificate; import javax. servlet. filter; import javax. servlet. filterchain; import javax. servlet. filterconfig; import javax. servlet. servletexception; import javax. servlet. servletrequest; import javax. servlet. servletresponse; import javax. Servlet. annotation. webfilter;/*** certfilter */@ webfilter (description = "Certificate filter for SSL connection", urlpatterns = {"/certfilter "}) public class certfilter implements filter {/*** default constructor. */Public certfilter () {// todo auto-generated constructor stub}/*** @ see filter # destroy () */Public void destroy () {// todo auto-generated method stub}/*** obtain certificate information */Public Void dofilter (servletrequest request, servletresponse response, filterchain chain) throws ioexception, servletexception {// obtain the request parameter "javax. servlet. request. certificate Information in x509certificate x509certificate [] certs = (x509certificate []) request. getattribute ("javax. servlet. request. x509certificate "); For (x509certificate Cert: CERTS) {system. out. println ("!!! Start !!! "); System. out. println ("version:" + cert. getversion (); system. out. println ("serial number:" + cert. getserialnumber (); system. out. println ("issuer:" + cert. getissuerdn (). getname (); system. out. println ("user (subject):" + cert. getsubjectdn (). getname (); system. out. println ("signature algorithm:" + cert. getsigalgname (); system. out. println ("certificate type:" + cert. getType (); system. out. println ("validity period from:" + cert. getnotbefore (); system. out. println (":" + Cert. getnotafter (); try {cert. checkvalidity (); // check whether the certificate has expired} catch (certificateexpiredexception e) {e. printstacktrace ();} catch (certificatenotyetvalidexception e) {e. printstacktrace ();} system. out. println ("!!! End !!! ");} // Pass the request along the filter chain. dofilter (request, response);}/*** @ see filter # Init (filterconfig) */Public void Init (filterconfig fconfig) throws servletexception {// todo auto-generated method stub }}

 

 

4. Clients access the server through https

 

Because it is a self-signed certificate, there will be a prompt, click "continue to browse this Website" to enter, at the same time in the background can see the following print output:

 

Because it is a self-signed certificate, there will be a prompt, click "continue to browse this Website" to enter, at the same time in the background can see the following print output:

 

Now, SSL/TLS two-way authentication is successfully configured! You can perform relevant business operations on the Obtained Certificate Information Based on your business needs.

SSL/TLS two-way authentication case reference