Openssl/tomcat HTTPS Construction

Source: Internet
Author: User
Tags openssl x509 pkcs12 set time

Summarize the setup of OpenSSL and Tomcat HTTPS

The first part: First, look at the pointers of OpenSSL:

Steps to create a certificate:

(1) Generate private key

(2) generate a certificate to be signed

(3) Generate X509 certificate, sign with CA private key

(4) P12 format certificate supported by the browser

One: Generate CA Certificate
Ca
1. Create the private key:
OpenSSL genrsa-out Ca/ca-key.pem 1024
2. Create a certificate request:
OpenSSL req-new-out Ca/ca-req.csr-key Ca/ca-key.pem

3. Self-Signed certificate:
OpenSSL x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 1000
4. Export the certificate to a browser-supported. P12 Format:

OpenSSL pkcs12-export-clcerts-in Ca/ca-cert.pem-inkey ca/ca-key.pem-out ca/ca.p12
Password: xxxxxxx


1. Create a private key:
OpenSSL Genrsa- Out Server/server-key.pem 1024 
2. Create a certificate request:
OpenSSL req-new-out server/server-req.csr-key server/ SERVER-KEY.PEM
3. Self-signed certificate:
OpenSSL x509-req-in server/server-req.csr-out server/server-cert.pem-signkey server/ Server-key.pem-ca ca/ca-cert.pem-cakey ca/ca-key.pem-cacreateserial-days 3650 
4. Export the certificate as a browser-supported. P12 Format:
OpenSSL pkcs12-export-clcerts-in Server/server-cert.pem-inkey server/server-key.pem-out server/server.p12 
Password: xxxxx

four. Generate a client certificate
1. Create the private key:
OpenSSL genrsa-out Client/client-key.pem 1024
2. Create a certificate request:
OpenSSL req-new-out Client/client-req.csr-key Client/client-key.pem

3. Self-Signed certificate:

OpenSSL x509-req-in client/client-req.csr-out client/client-cert.pem-signkey client/client-key.pem-ca ca/ Ca-cert.pem-cakey Ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to a browser-supported. P12 Format:
OpenSSL pkcs12-export-clcerts-in Client/client-cert.pem-inkey client/client-key.pem-out client/client.p12

Five. Generate JKS files based on CA certificate (Java keystore)
Keytool-keystore truststore.jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file Ca/ca-cert.pem

The second part. Configuring Tomcat SSL
1. Conf/server.xml.

The sslenabled= "true" property is more than Tomcat6. Keystorefile, Truststorefile is set to your correct related path
XML code
Configuration of Tomcat 5.5:
<connector port= "8443" maxhttpheadersize= "8192"
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" disableuploadtimeout= "true"
Acceptcount= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "SERVER.P12" keystorepass= "Changeit" keystoretype= "PKCS12"
Truststorefile= "Truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>
Configuration of the tomcat6.0:
<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "SERVER.P12" keystorepass= "Changeit" keystoretype= "PKCS12"
Truststorefile= "Truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>

VII. testing (under Linux)
OpenSSL S_client-connect Localhost:8443-cert/home/ssl/client/client-cert.pem-key/home/ssl/client/client-key.pem- Tls1-cafile/home/ssl/ca/ca-cert.pem-state-showcerts

get/index.jsp http/1.0

Eight, import the certificate
Server is imported by the service side. P12 and CA.P12 certificates
Client import will CA.P12,CLIENT.P12 certificate
IE (open ie->;internet, Contents--certificates)

CA.P12 Import to a trusted root certification authority, CLIENT.P12 import to a personal

Firefox (Tools-Options-advanced-Encryption-View certificate-your certificate)

Import both CA.P12 and CLIENT.P12 here

Note: The common name (Ca=ca,server=localhost,client=dong) of the Ca,server,client certificate must not be duplicated, otherwise SSL is unsuccessful

IX. Tomcat application uses browser certificate authentication

In Server/webapps/manager/web-inf/web.xml, the basic certification is changed to certificate authentication

<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>tomcat Manager application</realm-name>
</login-config>

Fill in the Conf/tomcat-users.xml with the following content
<?xml version= ' 1.0 ' encoding= ' utf-8 '?>
<tomcat-users>
<role rolename= "Manager"/>
<role rolename= "admin"/>
<role rolename= "User"/>
<user username= "[email protected], Cn=dong, OU=TB, O=TB, L=BJ, ST=BJ, C=CN" password= "null" roles= "admin, User,manager "/>
</tomcat-users>

Access http://localhost:8443 to verify that SSL is successful

Access to http://localhost:8443/manager/html verifies that the application is successful with client certificate validation


Attachment:

Format the batch create certificate:

#!/bin/bash
# using sample
# sh genclient.sh 20160728_client001 "Changsha SHINING POWER ELECTRONICS co.,ltd" ds2015-f0105-00104 [email protected]
/usr/bin/expect <<eof
Set Time 30
Spawn OpenSSL Req-new-key shdcweb1client.pem-out client/$1.csr-sha256
Expect {
"Country Name" {send "cn\r"; Exp_continue}
"State or province Name" {send "shanghai\r"; Exp_continue}
"Locality Name" {send "shanghai\r"; Exp_continue}
"Organization Name" {send "murata\r"; Exp_continue}
"Organizational Unit" {send "mci\r"; Exp_continue}
"Common Name" {send "$2\r"; Exp_continue}
"Email Address" {send "$4\r"; Exp_continue}
"A Challenge Password" {send "murata\r"; Exp_continue}
"An optional company name" {send "mci\r"; Exp_continue}

}

Spawn OpenSSL ca-policy policy_anything-days 365-cert shdcweb1ca.crt-keyfile shdcweb1cakey.pem-in client/$1.csr-out Client/$1.crt
Expect {
"Enter Pass phrase" {send "[email protected]\r"; Exp_continue}
"Sign the certificate" {send "y\r"; Exp_continue}
"1 out of 1 certificate requests certified" {send "y\r"; Exp_continue}

}

Spawn OpenSSL pkcs12-export-clcerts-in Client/$1.crt-inkey shdcweb1client.pem-out client/$1.p12
Expect {
"Enter Export Password" {send "$3\r"; Exp_continue}
"Verifying-enter Export Password" {send "$3\r"}

}

Eof
~


This article is from the "Mo Sky" blog, please be sure to keep this source http://silversnow.blog.51cto.com/285506/1924465

Openssl/tomcat HTTPS Construction

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.