generate a certificate for the serverRun the console, enter the%java_home%/bin directory, enter the directory using the following command: CD "C:\Program Files\java\jdk1.6.0_11\bin" uses Keytool to generate a certificate for Tomcat, assuming the domain name of the target machine is "LocalHost", the KeyStore file is stored in "D:\home\tomcat.keystore", the password is "password", generated using the following command: Keytool-genkey-v-alias tomcat-keyalg Rsa-keystore D:\home\tomcat.keystore-validity 36500 (parameter brief description: "D:\home\tomcat.keystore" means to save the path to the certificate file, The certificate file name is Tomcat.keystore; "-validity 36500" means the certificate validity period, 36500 means 100 years, and the default value is 90 days "Tomcat" for the custom certificate name). Fill in the necessary parameters at the command line: A, enter KeyStore password: Here you need to enter a string greater than 6 characters. B, "What is your first and last name?" "This is required and must be the domain name of the Tomcat deployment host or ip[, such as: Gbcom.com or 10.1.25.251] (which is the access address you will enter in the browser), or the browser will pop up a warning window prompting the user certificate to not match the domain in which it resides. When you do the development test locally, you should fill in "localhost". C, what is the name of your organizational unit? "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the two-letter country code for this unit? "Can be filled in as needed or can not fill in the direct return, the system asked" correct? ", enter the letter" Y "with the keyboard if required, otherwise enter" n "to re-fill the information. D, enter <tomcat> master password, this is more important, will be used in the Tomcat configuration file, it is recommended to enter the same password as KeyStore, set other passwords can also, after completing the above input, the direct return to the location you defined in the second step to find the generated file.
generate certificates for clientsGenerate a certificate for your browser so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate: Keytool-genkey-v-alias mykey-keyalg rsa-storetype pkcs12-keystore D:\HOME\MYKEY.P12 (MyKey is Custom). The corresponding certificate inventory is placed in "D:\HOME\MYKEY.P12", and the client's CN can be any value. Double-click the Mykey.p12 file to import the certificate into the browser (client).
to have the server trust the client certificateBecause it is a two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trust authentication. Because you cannot directly import a certificate library in the PKCS12 format, you must first export the client certificate as a separate CER file, using the following command: Keytool-export-alias mykey-keystore D:\HOME\MYKEY.P12- Storetype pkcs12-storepass password-rfc-file D:\home\mykey.cer (MyKey is the same as the custom defined MyKey for the client, password is the password you set). With the above command, the client certificate is exported to the "D:\home\mykey.cer" file. The next step is to import the file into the certificate Library of the server and add it as a trusted certificate using the command as follows: Keytool-import-v-file D:\home\mykey.cer-keystore D:\home\ Tomcat.keystore the list command to view the server's certificate library, you can see two certificates, one server certificate and one trusted client certificate: Keytool-list-keystore D:\home\tomcat.keystore ( Tomcat sets the server-side certificate name for you).
Let the client trust the server certificateBecause it is a two-way SSL authentication, the client also verifies the server certificate, so the server certificate must be added to the Browse Trusted root certification authorities. Because you cannot directly import a certificate library in the KeyStore format, you must first export the server certificate as a separate CER file, using the following command: Keytool-keystore D:\home\tomcat.keystore-export-alias Tomcat-file D:\home\tomcat.cer (Tomcat sets the server-side certificate name for you). With the above command, the server certificate is exported to the "D:\home\tomcat.cer" file. Double-click the Tomcat.cer file, follow the prompts to install the certificate, and fill in the certificate to Trusted root certification authorities. Configure the Tomcat server to open the/conf/server.xml under the Tomcat root directory and locate the connector port= "8443" configuration segment, modified as follows:
<connector port= "8443" protocol= "Org.apache.coyote.http11.Http11NioProtocol "
sslenabled= "true" maxthreads= "scheme= " "https"
secure= "true" Clientauth= "true" sslprotocol= "TLS "
keystorefile= "D:\\home\\tomcat.keystore" keystorepass= "123456 "
truststorefile= "D:\\home\\tomcat.keystore" truststorepass= "123456"/>(Tomcat to match the generated server-side certificate name) Property Description: ClientAuth: Sets whether two-way authentication, the default is False, and set to true represents two-way authentication keystorefile: Server certificate file path Keystorepass: Server Certificate Password truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate truststorepass: Root certificate Password
TestIn the browser input: https://localhost:8443/, will pop-up select the client certificate interface, click "OK", will enter the Tomcat homepage, the address bar will have a "lock" icon, indicating that the session has been authenticated through HTTPS two-way, The information transmitted during the next session is encrypted with SSL information.
Configure HTTPS bidirectional authentication with the Tomcat server
