Use JDK keytool in Ubuntu to configure the SSL protocol of tomcat7.0

Use JDK keytool in Ubuntu to configure the SSL protocol of tomcat7.0:

1. Use the built-in JDK keytool to generate a server certificate:
1) Open the terminal console, switch to the Tomcat main directory, and execute the command to generate the keystore file:
Keytool-genkey-alias tomcat-keyalg RSA-keypass tomcat-storepass tomcat-keystore server. keystore-validity 3600
-- Generate the server. keystore file in the Tomcat main directory;
2) according to the certificate request generated by the keystore file, apply for the server digital certificate from the CA:
Keytool-export-trustcacerts-alias tomcat-file server. cer-keystore server. keystore-storepass Tomcat
-- Generate the server. Cer file in the Tomcat main directory;
3) import the server certificate server. CER issued by the information center to the server. keystore file:
Keytool-import-trustcacerts-alias tomcat-file server. cer-keystore server. keystore-storepass Tomcat

2. Use the built-in JDK keytool to generate the client certificate:
1) to support the smooth import of certificates to IE and firefor, the certificate format is PKCS12. The command is as follows:
Keytool-genkey-v-alias client-keyalg RSA-storetype PKCS12-validity 3600-keystore client. p12-storepass client-keypass Client
-- Generate the client. p12 file in the Tomcat main directory;
2) Let the server trust the client certificate:
Two-way SSL authentication: the server must trust the client certificate. Therefore, you must add the client certificate as the trusted authentication of the server. Because the PKCS12 format certificate cannot be imported directly, first, export the client certificate as a separate CER file. command:
Keytool-export-alias client-keystore client. p12-storetype PKCS12-storepass client-RFC-file client. Cer
-- Generate the client. Cer file in the Tomcat main directory;
Import client. Cer to server certificate library Server. keystore and add it as a trust certificate:
Keytool-import-v-file client. cer-keystore server. keystore-storepass Tomcat
-- Authentication has been added to the keystore
3) run the LIST command to view the server certificate library. Two inputs are displayed: server certificate and trusted client certificate: keytool-list-keystore server. keystore-storepass tomcat.
 
4) delete command: keytool-delete-alias mykey-keystore server. keystore-storepass Tomcat

3. Modify tomcat configuration: CONF/server. xml
<! -- Define a ssl http/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using Apr,
Connector shocould be using the OpenSSL style Configuration
Described in the APR documentation -->
<Connector Port = "8443" protocol = "HTTP/1.1" sslenabled = "true"
Maxthreads = "150" Scheme = "HTTPS" secure = "true"
Clientauth = "false" sslprotocol = "TLS"
Keystorefile = "server. keystore" keystorepass = "Tomcat"
Truststorefile = "server. keystore" truststorepass = "client"
/>
1) clientauth = "true", two-way authentication;
2) clientauth = "false", one-way authentication;
4. Restart Tomcat and run the./bin/startup. Sh command to access https: // 127.0.0.1: 8443.
1) clientauth = "false", one-way authentication. The Tomcat homepage is successfully opened;
2) clientauth = "true", two-way authentication, open the Firefox menu: Edit-> preferences-> advanced-> encryption-> View Certificate-> your certificate, Set client. import p12 to IE and log on to the Tomcat homepage as prompted by Firefox;

5. Obtain the code for the server SSL Certificate
If (request. issecure () // for SSL communication
{
Java. Security. cert. x509certificate [] certs = (Java. Security. cert. x509certificate []) request. getattribute ("javax. servlet. Request. x509certificate ");
If (CERTS! = NULL & certs. lengtt> 0)
{
Subjectdn = "Certificates found ";
}
}
Use Java to parse the certificate to obtain the user information in the certificate
Issue = certs. getissuerdn (). tostring (); // Certificate Issuer
Subject = certs. getsubjectdn (). getname (); // certificate owner
After = certs. getnotafter (). tostring (); // certificate validity period
Before = certs. getnotbefore (). tostring (); // certificate expiration time
Version = integer. tostring (CERTs. getversion (); // certificate version
Serialno = certs. getserialnumber (). tostring (); // certificate serial number

 

5. Reference address:

Http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html // tomcat6.0 SSL Configuration

Http://wenku.baidu.com/view/e7b22df0f90f76c661371a6f.html // Tomcat SSL Configuration