How to build HTTPS two-way authentication environment with Tomcat and OpenSSL (HTTPS client authentication)

This article describes how to build a Web server certificate and personal digital certificate using the HTTPS feature of Tomcat, and a CA that you create yourself, and eventually build an HTTPS two-way authentication environment that can be used for testing purposes. The business process of building HTTPS two-way authentication in this article is as follows:
1. Create a Web server public key key and generate a server certificate request.
2. Use a self-built CA to issue a server certificate for the server based on the server certificate request. The server certificate is then directed back to the Web server.
3. The personal digital certificate used by the OpenSSL generation client (IE) is also issued by the same CA for personal certificates.
4. When you import a personal digital certificate (PKCS12 format, including a key) into your browser (IE/FIREFOX), you can perform an HTTPS test.

I. Select HTTPS Web server
Here we chose Tomcat. Of course there are other ways, such as Apache+tomcat, to have Apache configured in HTTPS mode, while Tomcat is only doing HTTP business processing, which can improve performance, but this article only constructs a simple HTTPS test environment, with only the HTTPS features of Tomcat. (Of course, I will consider studying the APACHE+TOMCAT mode later, and then share the experience with everyone)

two. Create a CA of your own
Creating your own CA to simulate the HTTPS build environment (using a CA to issue certificates) not only facilitates understanding the PKI concept, but also facilitates understanding the business processes that are actually applied. about how to create a simple test with CA I have posted in this blog, titled "Using OpenSSL to create a simple CA", please refer to http://blog.csdn.net/jasonhwang/archive/2008/04/26/ 2329589.aspx no longer repeats here.

In addition, if you really think that building a CA is cumbersome, and only use a few personal digital certificates, of course, you can not build a CA, the following section will also mention how to build two-way authentication without CA.

three. Create a server public key and issuing server certificate
There are actually two ways to generate a server certificate, one with JDK Keytool and the other with a OpenSSL command to generate a PKCS12 format certificate. Individuals prefer the second because the OpenSSL-generated PKCS12 format server certificate can export a plaintext server key to enable you to view encrypted HTTP messages in HTTPS with Wireshark (Ethereal's new name). Keytool generated KeyStore also have the means to export the key, but also to programming to get, too much trouble.

method One, use Keytool to create the server's public key key and issue the server certificate with the CA:
Keytool is the JDK's own tool program to ensure that Keytool is already in the path path (or in the following command to indicate Keytool's full path, such as $java_home/bin/keytool).

1. Generate server public key keys with Keytool:
Execute the following command in TOMCAT's conf directory (assuming the Conf directory path is $tomcat_home/conf/):
Keytool-keystore tomcat.jks-keypass 222222-storepass 222222-alias tomcat-genkey-keyalg rsa-dname "CN=servername, OU =servers, o=abcom "

Note: in which the DN (the unique alias of the certificate) in the CN preferably the server's domain name address or IP address (because the browser in the Discovery server certificate of the CN and access to the server domain name or IP mismatch, will report a warning, but this problem is not).

2. Generate a server certificate request and have the test CA issue a server certificate
In fact, this step can also be omitted, the only bad result is that when users start accessing the server HTTPS service, they will jump a window to warn the user that the server certificate is a self-signed certificate (a certificate issued to itself with the server's private key). Keytool generates this certificate automatically when a public key key is generated. However, you can also establish an HTTPS connection with the server as long as the user chooses "trust this certificate".
But the regular HTTPS server, or should apply for a server certificate is better.

2.1 Generating Server certificate requests:
Keytool-keystore tomcat.jks-keypass 222222-storepass 222222-alias tomcat-certreq-file Serverreq.pem

The following command allows you to view the contents of a certificate request:
OpenSSL req-in Serverreq.pem-text-noout

2.2 Signing the server certificate with the test CA:
By copying the SERVERREQ.PEM to a certain directory in the CA, we can follow the "day-to-day operation of the CA" in "1 using OpenSSL to create a simple ca." Certificate issued according to request for certificate "chapter:
OpenSSL ca-in serverreq.pem-out servercert.pem-config "$HOME/testca/conf/testca.conf"
You need to enter the protection password for the CA private key during execution.

2.3 The server certificate into the server KeyStore:
The SERVERCERT.PEM generated in the previous command is the server certificate. Take the file and CA's certificate ($HOME/testca/cacert.pem) from the CA and put it together in Tomcat's Conf directory.
In addition, before importing, there is a work to do, you need to manually edit the SERVERCERT.PEM certificate file, the '-----BEGIN certificate-----' Everything before the line deleted, because Keytool do not recognize these descriptive content.
You can also perform a command to view the contents of a certificate before importing it:
Keytool-printcert-file Servercert.pem

To import a server certificate:
To import the CA's certificate first:
Keytool-keystore tomcat.jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file Cacert.pem

To import the server certificate again:
Keytool-keystore tomcat.jks-keypass 222222-storepass 222222-alias tomcat-import-file Servercert.pem

After importing, you can view the contents of KeyStore with the following command:
Keytool-keystore Tomcat.jks-keypass 222222-storepass 222222-list-v

3. Create a server-trusted client CA Certificate library:
Create a certificate library with Keytool, which holds the CA certificate that the server trusts, that is, only the client personal certificates issued by these CAs are trusted by the server to access the server through HTTPS. This is the critical configuration of the HTTPS Server Authentication client certificate. Note: If it is only for testing purposes, for the sake of simplicity, you can directly import a self-signed certificate from a client without a CA to the trust certificate store directly.

Here, we assume that the client personal certificate (a later section describes how to generate a client personal certificate) is also issued by the test CA, so we want to import the CACERT.PEM certificate into the Trust Certificate library:
Keytool-keystore truststore.jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file Cacert.pem

You can view the contents of a trusted certificate library with the following command:
Keytool-keystore Truststore.jks-keypass 222222-storepass 222222-list-v

4. Configure Tomcat to support HTTPS two-way authentication (the server will authenticate the client certificate):
Modify the Server.xml file ($TOMCAT _home/conf/server.xml) in TOMCAT's Conf directory to find a configuration similar to the following, add the following configuration:
<connector port= "8443"
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" disableuploadtimeout= "true"
Acceptcount= "debug=" "0" scheme= "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "Conf/tomcat.jks" keystorepass= "222222" keystoretype= "JKs"
Truststorefile= "Conf/truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>

(digression: In fact, the only difference between HTTPS one-way and two-way authentication configuration is to change the ClientAuth to False, remove Truststore related configuration, is one-way HTTPS authentication, one-way HTTPS may use more, It is primarily in the browser with the F Server interaction HTTP requires encryption, without the need to verify the client certificate used. ）

After the above configuration, restart Tomcat, the server supports HTTPS two-way authentication.


method Two, create the server public key keys with OpenSSL and issue the server certificate with the CA:
As mentioned earlier, the advantage of this approach is that it helps to capture the HTTP information in the server's HTTPS interaction with the browser.
In fact, this approach is similar to making a personal digital certificate approach mentioned in the use of OpenSSL to create a simple CA (refer to "Three creating a simple CA by using OpenSSL." Generate your own public key and use the test CA to issue digital certificates section).

1. Make server certificate (eventually form a PKCS12 file containing the server key, certificate and CA's certificate)
Suppose we build the server-related stuff into the CA's $home/testca/test/server directory:
Mkdir-p "$HOME/testca/test/server"
CD "$HOME/testca/test/server"

2.1 Create a server public key, and simultaneously generate a server certificate request:
OpenSSL req-newkey rsa:1024-keyout serverkey.pem-keyform pem-out SERVERREQ.PEM/
-outform pem-subj "/o=abcom/ou=servers/cn=servername"
Enter the key protection password 222222 during the execution of the command.

After execution, you can view the request content with the following command:
OpenSSL req-in Serverreq.pem-text-noout

2.2 Signing the server certificate with the test CA:
By copying the SERVERREQ.PEM to a certain directory in the CA, we can follow the "day-to-day operation of the CA" in "1 using OpenSSL to create a simple ca." Certificate issued according to request for certificate "chapter:
OpenSSL ca-in serverreq.pem-out servercert.pem-config "$HOME/testca/conf/testca.conf"
You need to enter the protection password for the CA private key during execution.

When you are done, you can view the contents of the certificate with the following command:
OpenSSL x509-in Servercert.pem-text-noout

2.3 Making server PKCS12 files (containing the server keys, certificates, and CA certificates)
OpenSSL pkcs12-export-in Servercert.pem-inkey SERVERKEY.PEM/
-out tomcat.p12-name tomcat-cafile "$HOME/testca/cacert.pem"
-caname Root-chain
To enter the protection password (SERVERKEY.PEM) for the server key and the newly generated TOMCAT.P12 protection password during execution, we enter 222222.
When the creation is complete, copy the Pkcs12 file to Tomcat's Conf directory.

3. Create a server-trusted client CA Certificate library:
The corresponding chapter of the same method, here, we assume that the client personal certificate (a later section describes how to generate a client personal certificate) is also issued by the test CA, so we want to import the CACERT.PEM certificate into the Trust Certificate library:
Keytool-keystore truststore.jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file Cacert.pem

You can view the contents of a trusted certificate library with the following command:
Keytool-keystore Truststore.jks-keypass 222222-storepass 222222-list-v

4. Configure Tomcat to support HTTPS two-way authentication (the server will authenticate the client certificate):
Modify the Server.xml file ($TOMCAT _home/conf/server.xml) in TOMCAT's Conf directory to find a configuration similar to the following, add the following configuration:
<connector port= "8443"
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" disableuploadtimeout= "true"
Acceptcount= "debug=" "0" scheme= "https" secure= "true"
clientauth= "true"Sslprotocol= "TLS"
Keystorefile= "CONF/TOMCAT.P12" keystorepass= "222222" keystoretype= "PKCS12"
Truststorefile= "Conf/truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>

Note: The Keystoretype of KeyStore is different from the configuration of method one. After the above configuration, restart Tomcat, the server supports HTTPS two-way authentication.

Four. Create a personal digital certificate (PKCS12 format) for client (browser) testing
In full accordance with the use of OpenSSL to create a simple CA to make personal digital certificate method, refer to the "create a simple CA using OpenSSL" three. Generate the public key key yourself and use the test CA to issue a digital certificate section.

1. Create personal keys and certificate requests (the public key is included in the certificate request)
Create the $home/testuser1 directory and execute the command: (the certificate is placed in this directory)
mkdir $HOME/testuser1
CD $HOME/testuser1
OpenSSL req-newkey rsa:1024-keyout testkey.pem-keyform pem-out testreq.pem-outform "pem-subj =testuser1 "
You need to enter the private key protection password in the execution, assuming we enter the password: 222222

After execution, TESTKEY.PEM is the user's key, and TESTREQ.PEM is the certificate request.
You can view the contents of a certificate request with OpenSSL req-in testreq.pem-text-noout.

2. Issuing a personal certificate with CA for TestUser1
Also execute commands under the $home/testuser1 directory:
OpenSSL ca-in testreq.pem-out testcert.pem-config "$HOME/testca/conf/testca.conf"
You need to enter the key protection password for the CA (888888 that you just set) and finally ask if you want to select Y for the user to issue a certificate.
After execution, TESTCERT.PEM is the certificate,
You can view the contents of the certificate using the command OpenSSL x509-in testcert.pem-text-noout.

3. Make PKCS12 Documents (personal digital certificate)
The pkcs#12 file we made will contain the key, the certificate, and the CA certificate that issued the certificate.
The method of making the keys and certificates generated in the previous steps into a PKCS12 file executes the command:
OpenSSL pkcs12-export-in testcert.pem-inkey testkey.pem-out testuser1.p12-name testuser1-chain-cafile "$HOME/TESTCA /cacert.pem "
A password (222222) is required to enter the protection key during execution and a new password to protect the pkcs12 file (222222).

When you are done, to view the contents of the TESTUSER1.P12, you can use the command OpenSSL pkcs12-in TESTUSER1.P12
The TESTUSER1.P12 is the pkcs12 file. You can copy directly to Windows, as a personal digital certificate, double-click the import IE can be used after.

Five. Test HTTPS with a simple webapp
The server certificate and the personal certificate are all ready, we can write a simple webapp, there is only one JSP, to see if HTTPS client authentication is effective.

1. Create WebApp to test https:
Create a directory Testhttps in $tomcat_home/webapps/and create Web-inf directories in the Testhttps directory, and create web.xml files in the directory as follows:
File: $TOMCAT _home/webapps/web-inf/web.xml
<?xml version= "1.0" encoding= "Iso-8859-1"?>
<web-app xmlns= "HTTP://JAVA.SUN.COM/XML/NS/J2EE"
Xmlns:xsi= "Http://www.w3.org/2001/XMLSchema-instance"
xsi:schemalocation= "Http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version= "2.4" >
<display-name>test HTTPS app</display-name>
</web-app>

2. Create a JSP that displays client certificate information:
Create a file in the Testhttps directory seecert.jsp
File: $TOMCAT _home/webapps/web-inf/seecert.jsp
<%@ page import= "java.security.cert.X509Certificate" contenttype= "text/html; charset=gb2312 "%>
<pre>
<%
Java.security.cert.x509certificate[] Certs=null;
try{
Certs= (x509certificate[]) request.getattribute ("Javax.servlet.request.X509Certificate");

if (certs = = null) {
Out.println ("No certificates");
else if (certs.length = 0) {
OUT.PRINTLN ("Certificates length is 0");
} else {
Java.security.cert.X509Certificate cert = certs[0];
String DN = Cert.getsubjectx500principal (). toString ();
Out.println ("Subjectdn:" + DN);
Out.println ();
OUT.PRINTLN ("------------------Certification detail--------------------");
OUT.PRINTLN (CERT);
Out.println ("----------------------------------------------------------");
}
catch (Exception e) {
Out.println ("exception=" + e.getmessage ());
}
%>
</pre>

3. Test HTTPS and view client certificate information:
Access URL:https://<tomcat>:8443/testhttps/seecert.jsp
When you access the URL in a browser, the browser may jump out of the window and let you choose which client personal certificate to use.
When the page opens, you will see the client certificate information.

Six. Use Wireshark (Ethereal's new name) to view encrypted HTTP messages in https:
After grabbing the packet with Wireshark, you can see the HTTPS negotiation process between the HTTPS server and the browser, but after the successful establishment of HTTPS, subsequent messages are encrypted and how to view the encrypted HTTP messages. You need to use the server's key (private key) plaintext.
Suppose you need to derive the key plaintext from the server certificate TOMCAT.P12 file generated by the OpenSSL above, generating the key plaintext file method:
OpenSSL pkcs12-in tomcat.p12-out clearserverkey.pem-nodes
SSL is then found in the Wireshark protocol definition and is configured in the RSA keys list as follows:
<server_ip>,8443,http,<path_to_clearserverkey.pem>

which
<server_ip>--is the IP of HTTPS server;
8443--is a port with HTTPS (SSL);
http--means the HTTP protocol is encrypted in SSL;
<path_to_clearserverkey.pem>--refers to the local path of the Clearserverkey.pem file that was generated in the previous step.
In this way, you can see that the SSL protocol in Wireshark is decrypted, and the HTTP message inside is also seen.

Seven. CRL checking of client certificates in Tomcat

refer to the Configure CRL in Tomcat (http://blog.csdn.net/jasonhwang/archive/2008/05/08/2413310.aspx).