tomcat7.0.55 Configuring one-way and two-way HTTPS connections

HTTPS configuration is divided into one-way and two-way connections, one-way connection only requires the Server installation certificate, the client does not need, two-way connection requires both the server and the client to install the certificate

One, one-way HTTPS connection

Check if there are any. keystore files under the current working directory (C:\Users\test\) of the command line, or delete them.

Test two keytool commands first

1, Keytool-help

The results are as follows

C:\users\test>keytool-the Help key and certificate management Tools command:-CertReq Generating a certificate request-Changealias Changing an alias for an entry-Delete Deletes an entry-Exportcert Exporting Certificates-Genkeypair generating a key pair-Genseckey Generating Keys-Gencert generating a certificate based on a certificate request-Importcert Importing a certificate or certificate chain-importpass Import Password-Importkeystore Importing one or all entries from another KeyStore-keypasswd Changing the key password for an entry-List lists entries in the KeyStore-Printcert Printing Certificate Contents-Printcertreq Print the contents of a certificate request-PRINTCRL Printing the contents of a CRL file-storepasswd Changing the KeyStore's storage password usage"Keytool-command_name-help"Get the usage of Command_name

2, Keytool-genkey-help

C:\users\test>keytool-genkey-Helpkeytool-Genkeypair [OPTION] ... To generate key pair options:-alias <alias>alias of the entry to be processed-keyalg <keyalg>Key algorithm name-keysize <keysize>Key bit size-sigalg <sigalg>Signature Algorithm name-destalias <destalias>Target Aliases-dname <dname>Unique distinguished name-startdate <startdate> Certificate validity start date/Time-ext <value> X.509Extended-validity <valDays>Effective Days-keypass <arg>Key Password-keystore <keystore>Key Store Name-storepass <arg>KeyStore Password-storetype <storetype>KeyStore Type-providername <providername>Provider Name-providerclass <providerclass>Provider class name-providerarg <arg>supply-side parameters-providerpath <pathlist>Provider class Path-v Verbose output-protectedpassword usage through a protected mechanism"Keytool-help"Get all available commands

3, using the Keytool-genkey command to generate a key pair, alias for Tomcat, the default generated in the current directory, where the password does not echo, at least 6 bits entered, the author entered is 12345678

C:\users\test>keytool-genkey-alias Tomcat-keyalg RSA Enter KeyStore Password: What is your first and last name ?   [Unknown]:  localhost What is your organizational unit name ?   [Unknown]:  com What is your organization name ?   [Unknown]:  Co What is your city or region name ?   [Unknown]:  Dalian What is your state/province name?   [Unknown]:  liaoling What is the two-letter country/region code for this unit ?   [Unknown]:  cncn=localhost, ou=com, O=co, L=dalian, st=liaoling, c=cn correct?   [No]:  <tomcat> key password        (if same as KeyStore password, press ENTER): C:\Users\test>

After the command is complete, a. keystore file is generated in the C:\Users\test directory

4. Cut the generated. keystore file to the Conf directory of Tomcat

If you are accustomed to using commands, you can enter the following command

C:\users\test>move. KeyStore D:\apache-tomcat-7.0.  - \conf moved.          1 files.

5. View Conf\server.xml
Find an example of port= "8443" and copy the contents of the middle of the comment. The author found the content as follows

    <!--     <connector port= "8443" protocol= "Org.apache.coyote.http11.Http11Protocol"               maxthreads= "150" Sslenabled= "true" scheme= "https" secure= "true"               clientauth= "false" sslprotocol= "TLS"/>    -- >

Copy the content between <!----> and add the KeyStore file path and keystore password

    <ConnectorPort= "8443"Protocol= "Org.apache.coyote.http11.Http11Protocol"MaxThreads= "Max"sslenabled= "true"Scheme= "https"Secure= "true"ClientAuth= "false"Sslprotocol= "TLS"Keystorefile= "Conf/.keystore"Keystorepass= "12345678"/>

Then use the browser to open the following URL

https://localhost:8443/

If the browser prompts the certificate to be untrusted, click Continue to browse. One-way connection configuration is complete.

A problem was avoided in the above: when the key used by the KeyStore is inconsistent with the certificate <tomcat> key used by the server, the above configuration starts to report an error.

Workaround, add alias Keyalias and alias password keypass in the Server.xml <connector> tag, if created. KeyStore uses a KeyStore key of 12345678, The alias is 12341234 for the Tomcat key, which is configured as follows:

    <ConnectorPort= "8443"Protocol= "Org.apache.coyote.http11.Http11Protocol"MaxThreads= "Max"sslenabled= "true"Scheme= "https"Secure= "true"ClientAuth= "false"Sslprotocol= "TLS"Keystorefile= "Conf/.keystore"Keystorepass= "12345678"Keyalias= "Tomcat"Keypass= "12341234" />

Two, two-way HTTPS connection

Let's configure a two-way HTTPS connection

For clarity, the diagram below represents the entire process (though not a flowchart)

1, create the server KeyStore, the KeyStore type is JKS (the default is JKs, can also be specified by the-storetype parameter), the name is Server.keystore, the first entry is created, the alias is Tomcat

The command is as follows

3650  " Cn=localhost,ou=unknown,o=unknown,l=unknown,st=unknown,c=unknown " 12345678 12341234

The results are as follows

C:\users\test>keytool-genkey-v-alias tomcat-keyalg rsa-storetype JKS-3650  "  Cn=localhost,ou=unknown,o=unknown,l=unknown,st=unknown,c=unknown"  -storepass 12345678-keypass 123412342,0483,650  days):         CN=localhost, Ou=unknown, o= Unknown, L=unknown, St=unknown, c=unknown[is storing server.keystore]c:\users\test>

2, create the client KeyStore, the KeyStore type is PKCS12 (specified by the-storetype parameter), the name is CLIENT.P12, and the first entry is created, the alias is Client1

Create command

Keytool-genkey-v-alias client1-keyalg rsa-storetype PKCS12   3650  "cn=client1,ou= Unknown,o=unknown,l=unknown,st=unknown,c=unknown"12345678

Results

C:\users\test>keytool-genkey-v-alias client1-keyalg RSA-storetype PKCS12   3650  "cn=client1,ou=unknown,o=unknown, L=unknown,st=unknown,c=unknown"  -storepass 123456782,0483,650  days):         CN=client1, Ou=unknown, o= Unknown, L=unknown, St=unknown, c=unknown[is storing client.p12]c:\users\test>

View commands

12345678

Results

C:\users\test>keytool-list-storetype pkcs12-keystore client.p12-123456781  5-ten, Privatekeyentry, certificate thumbprint (SHA1): f4:8b:4a:3f:b6: EE:BF:A7:£ º£ º BC:Panax notoginseng: C8:A9:D9:bayi: a4:2f:C:\Users\ Test>

3. Export the client's entry 1 as a CER certificate, export the CER certificate for use by the browser, import to the server certificate store in the next step to let the server trust the client's certificate

Command

12345678

Results

C:\users\test>keytool-export-alias client1-keystore client.p12-12345678 -rfc-< certificates in client1.cer> C:\Users\test>

4. Import the CER certificate exported from the previous step to the server KeyStore Server.keystore

Command

12345678

Results

C:\users\test>keytool-import-v-alias Sclient1-file Client1.cer-KeyStore Server.keystore-storepass12345678owner: CN=client1, Ou=unknown, O=unknown, L=unknown, St=unknown, c=unknown published by: CN=client1, Ou=unknown, O=unknown, L=unknown, St=unknown, c=Unknown serial number: 50035e11 validity start Date: Sun MayTen  at: -: -Cst -, due date: Wed may -  at: -: -CST2025Certificate thumbprint: MD5: A: fc:b0: the: F4:AB:E3: at: the: the: 3f:7d: the: on: C2:FB sha1:f4:8b:Ten: 4a:3f:b6:ee:bf:a7: in: the: BC:Panax Notoginseng: C8:A9:D9:Bayi: a4:2f: -sha256:ab:3c: -: c0:1e: the: the: 2b:e7:d9: the: -: B1: in: the: F3: -: FD:FB: -: CA: -: the: -: +: ea:a7:7b: A: 9c:a2:a7 Signature Algorithm Name: Sha256withrsa version:3Extension: #1: ObjectId:2.5.29.14criticality=falsesubjectkeyidentifier [KeyIdentifier [0000: 6D 0CGeneva  -A0 theF7 toD7 9B 9C F9 theCcGenevaA5 M .........0010: to1 A the6C ... l] Whether to trust this certificate?[No]: Y certificate has been added to KeyStore [storing Server.keystore]c:\users\test>

To see if the import was successful, the command

12345678

Results

C:\users\test>keytool-list-keystore Server.keystore-storepass12345678KeyStore Type: JKs keystore provider: Sun your keystore contains2entries Sclient1, --5-Ten, Trustedcertentry, certificate thumbprint (SHA1): f4:8b:Ten: 4a:3f:b6:ee:bf:a7: in: the: BC:Panax Notoginseng: C8:A9:D9:Bayi: a4:2f: -Tomcat, --5-Ten, Privatekeyentry, certificate thumbprint (SHA1): the: -: 9E: $:D 2:eb: -: +: E8:8e:1e:f5: on: C6:AC:C5: the: 7D: the: +C:\Users\test>

After the completion of the above process, certificate generation work is finished, in the C:\Users\test directory can see Server.keystore, CLIENT.P12, client1.cer three files

1. Configure Tomcat below

Copy the Server.keystore to the D:\apache-tomcat-7.0.55\conf directory and add the following configuration to the Server.xml

    <ConnectorPort= "8443"Protocol= "Org.apache.coyote.http11.Http11Protocol"MaxThreads= "Max"sslenabled= "true"Scheme= "https"Secure= "true"ClientAuth= "true"Sslprotocol= "TLS"Keystorefile= "Conf/server.keystore"Keystorepass= "12345678"Keyalias= "Tomcat"Keypass= "12341234"Truststorefile= "Conf/server.keystore"Truststorepass= "12345678"/>

2. Import the Client1.cer certificate into the browser

Firefox: Menu---View Certificate--Your certificate--Import in the dialog box to find the Client1.cer

How to import Firefox support: PKCS12 file (*.p12;pfx), certificate file (*.p7b;*.crt;*.cert;*.cer;*.pem;*.der)

tomcat7.0.55 Configuring one-way and two-way HTTPS connections