Tomcat Configuration SSL

I. Introduction of Keytool

Keytool is a management tool for Java data certificates. Keytool the key (key) and certificate (certificates) exist in a file called KeyStore in KeyStore, which contains two kinds of data:

1. Key Entity--key (secret key) or private key and paired public key (with asymmetric encryption)
2. Trusted certificate Entity (trusted certificate entries)--only public key is included

Alias (alias): Each keystore is associated with this unique alias, which is usually case insensitive

Storage location of KeyStore

In the absence of a build location, KeyStore will exist with the user's system default directory, such as: For Windows XP system, will be generated in the system C:/Documents and settings/username/file named ". KeyStore"

KeyStore generation: Keytool-genkey-alias tomcat-keyalg rsa-keystore d:/mykeystore-dname "Cn=localhost, OU=localhost, O=loca Lhost, L=sh, St=sh, C=CN "-keypass changeit-storepass-validity 180

Parameter description:

-genkey means to create a new key
-dname represents the distinguished Names of the key,
Cn=commonname
Ou=organizationunit
O=organizationname
L=localityname
S=statename
C=country
Distinguished names indicates the identity of the issuer of the key
-KEYALG uses an encryption algorithm, this is RSA
-alias the alias of the key
-keypass the password for the private key, which is set to Changeit
The-keystore key is stored in the Mykeystore file in the D: Disk directory
-storepass access password, this is set to Changeit, this password provides the system from the Mykeystore file to remove the information
-validity The key is valid for 180 days (default is 90 days)

Cacerts Certificate Files (the Cacerts certificates file)

The certificate file exists in the Java.home/lib/security directory and is the CA certificate repository for the Java system

Ii. preparatory work

1. Verify that you have created a certificate with the same name

Keytool-list-v-alias tomcat-keystore "%java_home%/jre/lib/security/cacerts"-storepass Changeit

1. Delete a certificate that you have created

Keytool-delete-alias tomcat-keystore "%java_home%/jre/lib/security/cacerts"-storepass Changeit

Third, create a certificate

1. Generate a certificate in the server:

(Note: When generating a certificate, the CN will be the same as the domain name of the server, if tested locally, use localhost)

Keytool-genkey-alias tomcat-keyalg rsa-keystore d:/mykeystore-dname "Cn=localhost, OU=localhost, O=localhost, L=SH, S T=sh, C=CN "-keypass changeit-storepass Changeit

1. Export the certificate, installed by the client:

Keytool-export-alias Tomcat-keystore d:/mykeystore-file D:/mycerts.cer-storepass Changeit

1. Client configuration: Import the key for the client's JVM (import the certificate issued by the server into the JVM)

Keytool-import-trustcacerts-alias tomcat-keystore "%java_home%/jre/lib/security/cacerts"-file d:/mycerts.cer- Storepass Changeit

Iv. Configuring Tomcat SSL

Modify the SSL service in Server.xml

<connector port= "8443" maxhttpheadersize= "8192"
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" disableuploadtimeout= "true"
Acceptcount= "Scheme=" "https" secure= "true"
Clientauth= "false" sslprotocol= "TLS" keystorefile= "Server.keystore" keystorepass= "Changeit"/>

Five, frequently asked questions

1. Could not find a trusted certificate

The main reason is that the client does not import the server certificate into the JVM, you can use the

Keytool-list-alias tomcat-keystore "%java_home%/jre/lib/security/cacerts"-storepass Changeit

To see if the certificate is actually imported into the JVM.

1. Keytool Error: Java.io.IOException:keystore was tampered with,or password was incorrect

The reason is whether there is a. KeyStore exists in your home directory. If it exists then remove it and then execute it

Or remove the%java_home%/jre/lib/security/cacerts and then execute

It is recommended to delete Cacerts and import it directly.

Tomcat Configuration SSL