HTTPS principle and Tomcat configuration HTTPS method

1. Generate a certificate for the server

   Run the console, enter the%java_home%/bin directory, and enter the directory using the following command:

   CD "C:\Program Files\java\jdk1.6.0_11\bin"

   Using Keytool to generate a certificate for Tomcat, assuming the domain name of the target machine is "localhost", the KeyStore file is stored in "D:\home\tomcat.keystore" and the password is "password", which is generated using the following command:

   Keytool-genkey-v-alias tomcat-keyalg rsa-keystore D:\home\tomcat.keystore-validity 36500 (parameter brief description: "D:\home\tomcat.ke Ystore "means to save the path of the certificate file, the certificate file name is Tomcat.keystore;"-validity 36500 "means the certificate validity period, 36500 means 100 years, the default is 90 days" Tomcat "for the custom certificate name).

   Fill in the necessary parameters at the command line:

   A, enter KeyStore password: Here you need to enter a string greater than 6 characters.

   B, "What is your first and last name?" "This is required and must be the domain name of the Tomcat deployment host or ip[, such as: Gbcom.com or 10.1.25.251] (which is the access address you will enter in the browser), or the browser will pop up a warning window prompting the user certificate to not match the domain in which it resides. When you do the development test locally, you should fill in "localhost".

   C, what is the name of your organizational unit? "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the two-letter country code for this unit? "Can be filled in as needed or can not fill in the direct return, the system asked" correct? ", enter the letter" Y "with the keyboard if required, otherwise enter" n "to re-fill the information.

   D, enter <tomcat> master password, this is more important, will be used in the Tomcat configuration file, it is recommended to enter the same password as KeyStore, set other passwords can also, after completing the above input, the direct return to the location you defined in the second step to find the generated file.

3. Generate certificates for clients

   Generate a certificate for your browser so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:

   Keytool-genkey-v-alias mykey-keyalg rsa-storetype pkcs12-keystore D:\home\mykey.p12 (MyKey Custom).

   The corresponding certificate inventory is placed in "D:\HOME\MYKEY.P12", and the client's CN can be any value. Double-click the Mykey.p12 file to import the certificate into the browser (client).

4. To have the server trust the client certificate

   Because it is a two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trust authentication. Because you cannot directly import a certificate library in the PKCS12 format, you must first export the client certificate as a separate CER file, using the following command:

   Keytool-export-alias mykey-keystore D:\home\mykey.p12-storetype pkcs12-storepass password-rfc-file D:\home\mykey.ce R

   (MyKey is custom-defined MyKey to the client, password is the password you set). With the above command, the client certificate is exported to the "D:\home\mykey.cer" file.

   The next step is to import the file into the server's certificate library and add the command as a trusted certificate using the following commands:

   Keytool-import-v-file D:\home\mykey.cer-keystore D:\home\tomcat.keystore

   With the list command to view the server's certificate library, you can see two certificates, one server certificate and one trusted client certificate:

   Keytool-list-keystore D:\home\tomcat.keystore (Tomcat sets the server-side certificate name for you).

6. Let the client trust the server certificate

   Because it is a two-way SSL authentication, the client also verifies the server certificate, so the server certificate must be added to the Browse Trusted root certification authorities. Because you cannot directly import a certificate library in the KeyStore format, you must first export the server certificate as a separate CER file, using the following command:

   Keytool-keystore D:\home\tomcat.keystore-export-alias Tomcat-file D:\home\tomcat.cer (Tomcat sets the server-side certificate name for you).

   With the above command, the server certificate is exported to the "D:\home\tomcat.cer" file. Double-click the Tomcat.cer file, follow the prompts to install the certificate, and fill in the certificate to Trusted root certification authorities.

7. Configuring the Tomcat Server

   Open the/conf/server.xml in the Tomcat root directory and locate the connector port= "8443" configuration section, as follows:

   <connector port= "8443" protocol= "Org.apache.coyote.http11.Http11NioProtocol"

   Sslenabled= "true" maxthreads= "scheme=" "https"

   Secure= "true" Clientauth= "true" sslprotocol= "TLS"

   Keystorefile= "D:\\home\\tomcat.keystore" keystorepass= "123456"

   Truststorefile= "D:\\home\\tomcat.keystore" truststorepass= "123456"/>

   (Tomcat to match the generated server-side certificate name)

   Property Description:

   ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication

   Keystorefile: Server certificate file path

   Keystorepass: Server certificate Password

   Truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate

   Truststorepass: Root certificate Password

9. Test

   In the browser input: https://localhost:8443/, will pop-up select the client certificate interface, click "OK", will enter the Tomcat homepage, the address bar will have a "lock" icon, indicating that the session has been authenticated through HTTPS two-way, The information transmitted during the next session is encrypted with SSL information.

HTTPS principle and Tomcat configuration HTTPS method