1. Create the server key, whose keystore is/HOME/GR/SERVER.KS
PS1: Note that Keypass and Storepass are consistent, representing both the key password and the KeyStore password, respectively,
PS2: note In Cn=localhost, localhost indicates the hostname to be configured for SSL and cannot be arbitrarily specified
~ $keytool-genkey-v-alias serverkey-dname "cn=192.168.10.101"-keyalg rsa-keypass 123456-keystore Server.ks-storepas S 123456
2. Create the client key, its keystore is/HOME/GR/CLIENT.P12, note the key store suffix, note the KeyStore type PKCS12
~ $keytool-genkey-v-alias clientkey-dname "Cn=someone"-keyalg rsa-keypass 654321-keystore client.p12-storepass 6543 21-storetype PKCS12
3. Export the client key as a certificate file (the file generated here will be used in the next step)
~ $keytool-export-alias clientkey-file client.cer-keystore client.p12-storepass 654321-storetype PKCS12
4. Import the client key file above into the server certificate library and set it to trust the certificate
PS: Note will ask you whether you trust the certificate, answer Y can
~ $keytool-import-v-alias client-file client.cer-keystore server.ks-storepass 123456
5. In order to make SSL access in the browser, import the client KeyStore file in the browser client.p12
5.1 Linux Platform
Chrome: Settings--Advanced--https/ssl--Management Certificate--your certificate, import CLIENT.P12
Firefox: Preferences--Advanced--Certificate--View Certificate--Your certificate, import CLIENT.P12
5.2 Windows Platform
Ie:internet Options--Content--Certificate--Personal, import CLIENT.P12
Chrome: Options--Advanced--Certificate--View Certificate--Your certificate, import CLIENT.P12
Firefox: Settings--Advanced--https/ssl--Management Certificate--Personal, import CLIENT.P12
6. Configure the Tomcat server to support SSL authentication, edit files:%tomcat_home%/conf/server.xml
6.1 The following configuration code is originally blocked, and now remove its mask, and correspondingly increase the configuration of the KeyStore, where clientauth= "true" to start two-way authentication, otherwise, only the client Authentication server-one-way
6.2 The modified content is
<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "/HOME/GR/SERVER.KS" keystorepass= "123456"
Truststorefile= "/HOME/GR/SERVER.KS" truststorepass= "123456"/>
6.3 Property Description
ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication
Keystorefile: Server certificate file path
Keystorepass: Server certificate Password
Truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate
Truststorepass: Root certificate Password
7. Launch TOMCAT and Access in Internet Explorer: HTTPS://LOCALHOST:8443/project name
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Tomcat HTTPS/SSL service configuration (with bidirectional authentication, windows,linux platform validation Pass)