1. Generate CA self-signed file 1.1 enter cmd window in Openssl-0.9.8h-1-bin\bin or CMD window path to openssl-0.9.8h-1-bin\bin under 1.2 ras key length: 2048 the path to the CA public key certificate: The D:/CERT_TEST/ROOT_CA/CA_CERT.PEM certificate's validity period (days):  3650 Root Certificate Profile:d:/jx_cert/conf/gen_ca.conf Adjust the profile's private key Certificate certificate store path, issuer name, and so on according to your needs openssl req -x509 -newkey rsa:2048 -out d:/cert_test/root_ca/ca_cert.pem -outform pem -days 3650 -config "d:/jx_cert/conf/gen_ca.conf" to execute this command requires setting the root certificate password The password for this test setting is: Test run complete 1.1 and 1.2 will generate Ca_ Cert.pem and Ca_private_key.pem These two files 2, generate TOMCAT.JKS certificate TOMCAT.JSK certificate storage path: D:\cert_test\service\ Tomcat.jkstomcat.jks Certificate Password: cert_test issuer name (same as the issuer name of the configuration name):qthd_cmbc_smzf the command line into the JRE root and execute keytool - Keystore d:\cert_test\service\tomcat.jks -keypass cert_test -storepass cert_test -alias tomcat -genkey -keyalg RSA -dname "Cn=127.0.0.1, ou=servers, o=qthd_cmbc_smzf "The Tomcat.jks file is generated after the command is run and the Tomcat/bin directory Service.xml Configuring HTTPS requires that the JKs file generated to the certificate be used as follows:
3, according to TOMCAT.JKS Certificate generation Server request Certificate TOMCAT.JKS certificate storage path: D:\cert_test\service\tomcat.jkstomcat.jks Certificate Password: cert_test SERVERREQ.PEM Certificate Storage path: D:\cert_test\service\serverreq.pemkeytool-keystore D:\cert_test\service\tomcat.jks-keypass Cert_test-storepass Cert_test-alias Tomcat-certreq-file D:\cert_test\service\ Serverreq.pem Run this command will generate SERVERREQ.PEM file 4, CA sign server certificate SERVERREQ.PEM certificate storage path: D:\cert_test\service\ SERVERREQ.PEMSERVERCERT.PEM Certificate Storage path: D:\cert_test\service\servercert.pemqthd_ca.conf configuration file storage path: D:\jx_cert\qthd_ca\ Qthd_ca.conf Adjust profile information as needed to create a new Newcerts folder in the D:\cert_test directory, you need to put index and serial into the D:\test directory OpenSSL ca-in D:\cert_test\ Service\serverreq.pem-out D:\cert_test\service\servercert.pem-config "D:\jx_cert\conf\ca.conf" to execute this command requires the root certificate password to be entered. and need to agree to sign the certificate and consent to request certification submission
5. Import CA certificate to KEYSTORETOMCAT.JKS certificate store path: D:\cert_test\service\tomcat.jkstomcat.jks Certificate password: CERT_TESTCA Public key certificate path: D:/cert_test /root_ca/ca_cert.pem Keytool-keystore D:\cert_test\service\tomcat.jks-keypass Cert_test-storepass Cert_test-alias Ca-import-trustcacerts-file D:/CERT_TEST/ROOT_CA/CA_CERT.PEM Execute this command requires the consent to trust this Certificate 6, import the server certificate to the KEYSTORETOMCAT.JKS certificate path: D:\ Cert_test\service\tomcat.jkstomcat.jks Certificate Password: CERT_TESTSERVERCERT.PEM certificate storage path: D:\CERT_TEST\SERVICE\SERVERCERT.PEM Keytool-keystore D:\cert_test\service\tomcat.jks-keypass cert_test-storepass Cert_test-alias tomcat-import-file d:\ Cert_test\service\servercert.pem performing this command may prompt the certificate reply to be installed in the KeyStore and proceed to the next step
7. View KeyStore Trusted list keytool-keystore D:\cert_test\service\tomcat.jks-keypass Cmbc_smzf-storepass cert_test-list-v
8. Import the CA certificate into the trusted Keystoretruststore.jks certificate path: D:\cert_test\service\truststore.jkstruststore.jks Certificate Password: Cert_ TESTCA Public Key Certificate path: D:\cert_test\root_ca\ca_cert.pem keytool-keystore D:\cert_test\service\truststore.jks-keypass Cert_ Test-storepass Cert_test-alias Ca-import-trustcacerts-file D:\cert_test\root_ca\ca_ Cert.pem need to agree to trust this certificate when executing this command, and will generate TRUSTSTORE.JKS certificate
9, tomcat configuration HTTPS needs to be adjusted in the tomcat/conf directory Service.xml file A, commented out <listener classname= " Org.apache.catalina.core.AprLifecycleListener "sslengine=" on "/> B, added in the middle of two connector
<Connectorsslenabled= "true"Acceptcount= "+"ClassName= "Org.apache.coyote.http11.Http11Protocol"ClientAuth= "true"ConnectionTimeout= "30000"Disableuploadtimeout= "true"enablelookups= "true"KeepAliveTimeout= "30000"Keystorefile= "D:\https\apache-tomcat-7.0.78\conf\ssl\tomcat.jks"Keystorepass= "Cert_test"MaxIdleTime= "60000"maxsparethreads= "+"MaxThreads= " the"minsparethreads= "+"Port= "8443"Scheme= "https"Secure= "true"Sslprotocol= "TLS"Truststorefile= "D:\https\apache-tomcat-7.0.78\conf\ssl\truststore.jks"Truststorepass= "Cert_test"/>
The path in this article is as follows, fill in the actual path: Tomcat.jks path: D:\https\apache-tomcat-7.0.78\conf\ssl\tomcat.jks tomcat.jks password: cert_test trustst Ore.jks path: D:\https\apache-tomcat-7.0.78\conf\ssl\truststore.jks truststore.jks Password: cert_test configuration complete Start Tomcat, and access to services: https://localhost:8443/. If you are prompted that this web site cannot provide a secure connection when you visit, the Tomcat configuration HTTPS is complete, complete the following steps to generate a P12 certificate for re-access. 10. Create client Secret Client KEY.PEM path: D:\CERT_TEST\CERTS\LZQ_TESTKEY.PEM client Req.pem path: D:\cert_test\certs\lzq_ TESTREQ.PEM issuer Name: Zaomz_caopenssl req-newkey rsa:2048-keyout D:\cert_test\certs\testKey.pem-keyform pem-out D:\cert_ Test\certs\testreq.pem-outform pem-subj "/o=zaomz_ca/ou=zaomz_ca/cn=qthd_test"-config "D:\jx_cert\ Openssl-0.9.8h-1-bin\share\openssl.cnf "execute this command will generate LZQ_TESTKEY.PEM and LZQ_TESTREQ.PEM
11. Issuing Personal Certificate Client REQ.PEM path: D:\CERT_TEST\CERTS\LZQ_TESTREQ.PEM client Cert.pem path: D:\cert_test\certs\lzq_ TESTREQCERT.PEMCA configuration file path: D:\jx_cert\conf\ca.conf OpenSSL ca-in D:\cert_test\certs\testreq.pem-out D:\cert_test\ Certs\testreqcert.pem-config "D:\jx_cert\conf\ca.conf" needs to enter the root certificate password when executing this command: Test and agree to two conditions
12. Make personal P12 certificate Cert.pem file path: D:\cert_test\certs\lzq_testreqcert.pemkey.pem file path: D:\cert_test\certs\lzq_ TESTKEY.PEMP12 Certificate path: D:\cert_test\p12\lzq_test.p12openssl pkcs12-export-in D:\cert_test\certs\lzq_testreqcert.pem- Inkey D:\cert_test\certs\lzq_testKey.pem-out D:\cert_test\p12\lzq_test.p12-name lzq_test-chain-cafile "D:\cert_ Test\root_ca\ca_cert.pem "You need to enter the password three times to execute this command. Here P12 certificate has been generated, double-click the P12 certificate to install, the installation needs to enter the certificate password: lzqtest, re-visit https://localhost:8443/, select the P12 certificate has been followed note: If you only need to generate a P12 certificate, Please repeat steps 10th, 11, 12
Certificate signing and configuration when HTTPS bidirectional authentication
