SSL two-way authentication and certificate creation and use, ssl authentication certificate

Source: Internet
Author: User

SSL two-way authentication and certificate creation and use, ssl authentication certificate

The following describes how to create a Root CA certificate, server certificate, and client certificate:


The client installs the server root certificate ca. crt in the client trust certificate library, and the server installs the server root certificate ca. crt in the server trust certificate library.

When an SSL handshake occurs, the server first sends the server certificate server. p12 to the client. The client will go to the client's trust certificate library for verification,

Because server. p12 is issued by the root certificate CA, so the verification is passed. Then the client sends the client certificate to the client. p12 is sent to the server, because the client. p12 is issued by the root certificate CA, so the verification passes.


Download and install the xca tool at the

Create a ca certificate with xca

Interface opened by xca

File, New DataBase, xdb File storage path, and password

Switch to the Certificates page and click New Certificate.

The following page is displayed:

To create a root certificate, select a self-authenticated certificate with serial number 1, select SHA 256 as the signature algorithm, select the default CA as the certificate template, and then click Apply all (this cannot be missed) as follows:

Switch to the Subject Page and fill in all fields.

Click Generate a new key to Generate the private key.

Click OK. The CA certificate is complete and the validity period is 10 years by default.

Export the root certificate to a certificate format that only contains the public key. This root certificate is stored on the website for users to download and install it, or install it on the customer's machine:



The production of server certificates, client certificates, and CA certificates are similar. There are only two differences:

Tomcat ssl two-way authentication Configuration

1. Both keytool and openssl are tools. The difference is that the corresponding tool. tomcat needs to use keytool Based on the application server or web server.
2. cer and crt are both in the certificate format. It is very easy to change the certificate to the one supported by your webserver or application server. JKS is a format. Openssl is generally used in jks or key format, and keytool is used in keystore format.
3. to import the root certificate, you must import the root certificate. I don't understand what you said about the client certificate import. I don't think the client needs to be imported any more. do two-way authentication on the server and do not need to be imported. You just need to configure it on the server. To import tomcat certificates, You need to import the root certificate (if you have an intermediate root certificate, you also need to import it)

Tomcat certificate configuration command
Keytool-import-alias rootca. cer-keystore your_keystore-storepass your_pass-trustcacerts-file c: \ rootca. cer
When importing the root certificate, do not use the same alias as the server certificate alias.

When importing server certificates, pay attention to your own alias.

After importing the root certificate and server certificate, directly modify the configuration file server. xml.
<! -- Define a SSL Coyote HTTP/1.1 Connector on
Port 8443 -->
<Connection port = "8443"
MaxThreads = "150"

MinSpareThreads = "25"
MaxSpareThreads = "75"
EnableLookups = "false"
DisableUploadTimeout = "true"
AcceptCount = "100" debug = "0"
Scheme = "https"
Secure = "true"
ClientAuth = "false" sslProtocol = "TLS"
KeystoreFile = "/conf/your_keystore"
KeystorePass = "your_pass"/>

Restart the server ....... Remaining full text>

In ssl two-way authentication, how does ssl check whether the CA certificate has passed the application?

1. Your problem is wrong ." How does SSL check if the CA certificate is approved? Both parties will check the validity of the certificate of the other party by determining whether the issuer (CA certificate) of the other party's certificate is trusted.
2. You can create a self-built CA certificate to send a certificate without going to a third party to apply for a certificate. However, to gain the trust of the other party, You need to perform some operations.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.