I. Introduction of Keytool
Keytool is a management tool for Java data certificates. Keytool the key (key) and certificate (certificates) exist in a file called KeyStore in KeyStore, which contains two kinds of data:
- Key Entity--key (secret key) or private key and paired public key (with asymmetric encryption)
- Trusted certificate Entity (trusted certificate entries)--only public key is included
Alias (alias): Each keystore is associated with this unique alias, which is usually case insensitive
Storage location of KeyStore
In the absence of a build location, KeyStore will exist with the user's system default directory, such as: For Windows XP system, will be generated in the system C:/Documents and settings/username/file named ". KeyStore"
KeyStore generation: Keytool-genkey-alias tomcat-keyalg rsa-keystore d:/mykeystore-dname "Cn=localhost, OU=localhost, O=loca Lhost, L=sh, St=sh, C=CN "-keypass changeit-storepass-validity 180
Parameter description:
-genkey means to create a new key
-dname represents the distinguished Names of the key,
Cn=commonname
Ou=organizationunit
O=organizationname
L=localityname
S=statename
C=country
Distinguished names indicates the identity of the issuer of the key
-KEYALG uses an encryption algorithm, this is RSA
-alias the alias of the key
-keypass the password for the private key, which is set to Changeit
The-keystore key is stored in the Mykeystore file in the D: Disk directory
-storepass access password, this is set to Changeit, this password provides the system from the Mykeystore file to remove the information
-validity The key is valid for 180 days (default is 90 days)
Cacerts Certificate Files (the Cacerts certificates file)
The certificate file exists in the Java.home/lib/security directory and is the CA certificate repository for the Java system
Ii. preparatory work
- Verify that you have created a certificate with the same name
Keytool-list-v-alias tomcat-keystore "%java_home%/jre/lib/security/cacerts"-storepass Changeit
- Delete a certificate that you have created
Keytool-delete-alias tomcat-keystore "%java_home%/jre/lib/security/cacerts"-storepass Changeit
Third, create a certificate
- Generate a certificate in the server:
(Note: When generating a certificate, the CN will be the same as the domain name of the server, if tested locally, use localhost)
Keytool-genkey-alias tomcat-keyalg rsa-keystore d:/mykeystore-dname "Cn=localhost, OU=localhost, O=localhost, L=SH, S T=sh, C=CN "-keypass changeit-storepass Changeit
- Export the certificate, installed by the client:
Keytool-export-alias Tomcat-keystore d:/mykeystore-file D:/mycerts.cer-storepass Changeit
- Client configuration: Import the key for the client's JVM (import the certificate issued by the server into the JVM)
Keytool-import-trustcacerts-alias tomcat-keystore "%java_home%/jre/lib/security/cacerts"-file d:/mycerts.cer- Storepass Changeit
Iv. Configuring Tomcat SSL
Modify the SSL service in Server.xml
<connector port= "8443" maxhttpheadersize= "8192"
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" disableuploadtimeout= "true"
Acceptcount= "Scheme=" "https" secure= "true"
Clientauth= "false" sslprotocol= "TLS" keystorefile= "Server.keystore" keystorepass= "Changeit"/>
Five, frequently asked questions
- Could not find a trusted certificate
The main reason is that the client does not import the server certificate into the JVM, you can use the
Keytool-list-alias tomcat-keystore "%java_home%/jre/lib/security/cacerts"-storepass Changeit
To see if the certificate is actually imported into the JVM.
- Keytool Error: Java.io.IOException:keystore was tampered with,or password was incorrect
The reason is whether there is a. KeyStore exists in your home directory. If it exists then remove it and then execute it
Or remove the%java_home%/jre/lib/security/cacerts and then execute
It is recommended to delete Cacerts and import it directly.
Tomcat Configuration SSL