Configure OpenSSL for Tomcat

First, you are advised to use jdk1.4, which comes with JSSE.
In addition, you need OpenSSL to generate CA certificates, signatures, and generate private keys that can be imported by IE. You can download from the http://www.openssl.org.
The following excerpt is from IBM: The developerworks Chinese site "Configure Tomcat 4 to use SSL" Zhao Liang (b-i-d@163.com), and slightly modified.


4.2 create your own ca

4.2.1 create a working directory
Mkdir ca

4.2.2 generate the CA private key and self-Signed root certificate
4.2.2.1 generate the CA private key
OpenSSL genrsa-out Ca \ ca-key.pem 1024


4.2.2.2 generate the certificate to be signed
OpenSSL req-New-out Ca \ ca-req.csr-key Ca \ ca-key.pem


4.2.2.3 use the CA private key for self-Signature
OpenSSL X509-req-in Ca \ ca-req.csr-out Ca \ ca-cert.pem-signkey Ca \ ca-key.pem-days 365

4.3 set Tomcat 4.x
In this article, the "% jdk_home %" symbol is used to indicate the JDK installation location. The "% tcat_home %" symbol is used to indicate the tomcat installation location.

4.3.1 create a working directory
Mkdir Server

4.3.2 generate a server certificate
4.3.2.1 generate keypair
% Jdk_home % \ bin \ keytool-genkey-alias tomcat_server-validity 365-keyalg RSA-keysize 1024-keypass changeit-storepass changeit-dname "cn = localhost, ou = Department, O = company, L = Beijing, St = Beijing, c = cn "-keystore Server \ server_keystore

4.3.2.2 generate the certificate to be signed
% Jdk_home % \ bin \ keytool-certreq-alias tomcat_server-sigalg md5withrsa-File Server \ Server. CSR-keypass changeit-keystore Server \ server_keystore-storepass changeit

4.3.2.3 use the CA private key for signature
OpenSSL X509-req-in server \ Server. CSR-out Server \ server-cert.pem-Ca \ ca-cert.pem-Cakey Ca \ ca-key.pem-days 365

4.3.2.4 import the trusted CA root certificate to the default JSSE location (% jdk_root %/JRE/security/cacerts)
% Jdk_home % \ bin \ keytool-import-v-trustcacerts-storepass changeit-alias my_ca_root-file Ca \ ca-cert.pem-keystore % jdk_home % \ JRE \ Lib \ SECURITY \ cacerts

4.3.2.5 import the server certificate signed by the CA to the keystore
% Jdk_home % \ bin \ keytool-import-v-trustcacerts-storepass changeit-alias tomcat_server-File Server \ server-cert.pem-keystore Server \ server_keystore

4.3.2.6 view the server certificate
Keytool-list-keystore % jdk_home % \ JRE \ Lib \ SECURITY \ cacerts
Keytool-list-keystore Server \ server_keystore

4.3.3 modify server. XML to make Tomcat support SSL
First, find the following content and remove the comment. Then, modify the settings by referring to the red section. If Tomcat is configured to not authenticate the customer identity, set clientauth = "false ".
<Connector classname = "org. Apache. Catalina. connector. http. httpconnector"
Port = "8443" minprocessors = "5" maxprocessors = "75"
Enablelookups = "true"
Acceptcount = "10" DEBUG = "0" Scheme = "HTTPS" secure = "true">
<Factory classname = "org.apache.catalina.net. sslserversocketfactory"
Clientauth = "false" protocol = "TLS"
Keystorefile = "% tcat_home %/CONF/server_keystore" keystorepass = "changeit"
/>

Copy the File Server \ server_keystore to the directory % tcat_home % \ conf.

4.4 install a trusted root certificate on the client
Rename Ca \ ca-cert.pem to Ca \ ca-key.cer, and use the "tool 'Internet options' content 'certificate' import" in client IE to import the CA root certificate we generated, make it a trusted ca.

4.5 Use SSL protocol to access tomcat in IE browser

4.5.1 start Tomcat 4.x
Run % tcat_home % \ bin \ Startup. BAT to start Tomcat 4.x

4.5.2 use IE to access Tomcat 4.x
Enter https: // localhost: 8443 in the address bar of the IE browser. If the previous operations are correct, you can see the welcome page of Tomcat. The lock on the status bar is closed, indicating that you have successfully established an SSL secure connection with the server that requires client verification.