Openssl/tomcat HTTPS Construction

Summarize the setup of OpenSSL and Tomcat HTTPS

The first part: First, look at the pointers of OpenSSL:

Steps to create a certificate:

(1) Generate private key

(2) generate a certificate to be signed

(3) Generate X509 certificate, sign with CA private key

(4) P12 format certificate supported by the browser

One: Generate CA Certificate
Ca
1. Create the private key:
OpenSSL genrsa-out Ca/ca-key.pem 1024
2. Create a certificate request:
OpenSSL req-new-out Ca/ca-req.csr-key Ca/ca-key.pem

3. Self-Signed certificate:
OpenSSL x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 1000
4. Export the certificate to a browser-supported. P12 Format:

OpenSSL pkcs12-export-clcerts-in Ca/ca-cert.pem-inkey ca/ca-key.pem-out ca/ca.p12
Password: xxxxxxx

1. Create a private key:
OpenSSL Genrsa- Out Server/server-key.pem 1024 
2. Create a certificate request:
OpenSSL req-new-out server/server-req.csr-key server/ SERVER-KEY.PEM
3. Self-signed certificate:
OpenSSL x509-req-in server/server-req.csr-out server/server-cert.pem-signkey server/ Server-key.pem-ca ca/ca-cert.pem-cakey ca/ca-key.pem-cacreateserial-days 3650 
4. Export the certificate as a browser-supported. P12 Format:
OpenSSL pkcs12-export-clcerts-in Server/server-cert.pem-inkey server/server-key.pem-out server/server.p12 
Password: xxxxx

four. Generate a client certificate
1. Create the private key:
OpenSSL genrsa-out Client/client-key.pem 1024
2. Create a certificate request:
OpenSSL req-new-out Client/client-req.csr-key Client/client-key.pem

3. Self-Signed certificate:

OpenSSL x509-req-in client/client-req.csr-out client/client-cert.pem-signkey client/client-key.pem-ca ca/ Ca-cert.pem-cakey Ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to a browser-supported. P12 Format:
OpenSSL pkcs12-export-clcerts-in Client/client-cert.pem-inkey client/client-key.pem-out client/client.p12

Five. Generate JKS files based on CA certificate (Java keystore)
Keytool-keystore truststore.jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file Ca/ca-cert.pem

The second part. Configuring Tomcat SSL
1. Conf/server.xml.

The sslenabled= "true" property is more than Tomcat6. Keystorefile, Truststorefile is set to your correct related path
XML code
Configuration of Tomcat 5.5:
<connector port= "8443" maxhttpheadersize= "8192"
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" disableuploadtimeout= "true"
Acceptcount= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "SERVER.P12" keystorepass= "Changeit" keystoretype= "PKCS12"
Truststorefile= "Truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>
Configuration of the tomcat6.0:
<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "SERVER.P12" keystorepass= "Changeit" keystoretype= "PKCS12"
Truststorefile= "Truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>

VII. testing (under Linux)
OpenSSL S_client-connect Localhost:8443-cert/home/ssl/client/client-cert.pem-key/home/ssl/client/client-key.pem- Tls1-cafile/home/ssl/ca/ca-cert.pem-state-showcerts

get/index.jsp http/1.0

Eight, import the certificate
Server is imported by the service side. P12 and CA.P12 certificates
Client import will CA.P12,CLIENT.P12 certificate
IE (open ie->;internet, Contents--certificates)

CA.P12 Import to a trusted root certification authority, CLIENT.P12 import to a personal

Firefox (Tools-Options-advanced-Encryption-View certificate-your certificate)

Import both CA.P12 and CLIENT.P12 here

Note: The common name (Ca=ca,server=localhost,client=dong) of the Ca,server,client certificate must not be duplicated, otherwise SSL is unsuccessful

IX. Tomcat application uses browser certificate authentication

In Server/webapps/manager/web-inf/web.xml, the basic certification is changed to certificate authentication

<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>tomcat Manager application</realm-name>
</login-config>

Fill in the Conf/tomcat-users.xml with the following content
<?xml version= ' 1.0 ' encoding= ' utf-8 '?>
<tomcat-users>
<role rolename= "Manager"/>
<role rolename= "admin"/>
<role rolename= "User"/>
<user username= "[email protected], Cn=dong, OU=TB, O=TB, L=BJ, ST=BJ, C=CN" password= "null" roles= "admin, User,manager "/>
</tomcat-users>

Access http://localhost:8443 to verify that SSL is successful

Access to http://localhost:8443/manager/html verifies that the application is successful with client certificate validation

Attachment:

Format the batch create certificate:

#!/bin/bash
# using sample
# sh genclient.sh 20160728_client001 "Changsha SHINING POWER ELECTRONICS co.,ltd" ds2015-f0105-00104 [email protected]
/usr/bin/expect <<eof
Set Time 30
Spawn OpenSSL Req-new-key shdcweb1client.pem-out client/$1.csr-sha256
Expect {
"Country Name" {send "cn\r"; Exp_continue}
"State or province Name" {send "shanghai\r"; Exp_continue}
"Locality Name" {send "shanghai\r"; Exp_continue}
"Organization Name" {send "murata\r"; Exp_continue}
"Organizational Unit" {send "mci\r"; Exp_continue}
"Common Name" {send "$2\r"; Exp_continue}
"Email Address" {send "$4\r"; Exp_continue}
"A Challenge Password" {send "murata\r"; Exp_continue}
"An optional company name" {send "mci\r"; Exp_continue}

}

Spawn OpenSSL ca-policy policy_anything-days 365-cert shdcweb1ca.crt-keyfile shdcweb1cakey.pem-in client/$1.csr-out Client/$1.crt
Expect {
"Enter Pass phrase" {send "[email protected]\r"; Exp_continue}
"Sign the certificate" {send "y\r"; Exp_continue}
"1 out of 1 certificate requests certified" {send "y\r"; Exp_continue}

}

Spawn OpenSSL pkcs12-export-clcerts-in Client/$1.crt-inkey shdcweb1client.pem-out client/$1.p12
Expect {
"Enter Export Password" {send "$3\r"; Exp_continue}
"Verifying-enter Export Password" {send "$3\r"}

}

Eof
~

This article is from the "Mo Sky" blog, please be sure to keep this source http://silversnow.blog.51cto.com/285506/1924465

Openssl/tomcat HTTPS Construction