HTTPS Generation and configuration

HTTPS is often used in our development of communication encryption technology, can effectively protect our network access security, this article mainly explains the configuration of one-way and two-way https. About the implementation of the principle of HTTPS here I will not repeat, attached to the Nanyi teacher about the https introduction of several blogs, interested in children's shoes can take a look at: The diagram of the SSL/TLS protocol digital signature is what.

This article directory:

1. One-way HTTPS configuration

2. Bidirectional HTTPS configuration

3, Common noun description (reprint)

1. One-way HTTPS configuration To generate the HTTPS certificate command:

sudo keytool-genkey-keyalg rsa-dname "CN=LOCALHOST,OU=NONE,O=NONE,L=SHANGHAI,ST=SHANGHAI,C=CN"-alias server- Keypass 123456-keystore server.keystore-storepass 123456-validity 3650

generate a CSR fileThis article only generates a self-signed HTTPS certificate, and if you need to request a CA certificate, you will need to generate a CSR file and submit the file to the appropriate CA authority to request a CA certificate.

sudo keytool-certreq-alias server-keystore server.keystore-file ca.csr-storepass 123456

generate a CER file
Because the certificates we generate are generated using Keytool and are not issued by a CA that is trusted by the operating system, untrusted certificate warnings appear when accessed with a browser, and we manually import the CER file (the service-side public key) into the browser's list of certificates for trust.

sudo keytool-export-alias server-keystore server.keystore-file ca.cer-storepass 123456

Configuring an HTTPS certificate in Tomcat

You can access the HTTPS site by adding the following configuration in the Serve.xml.

<connector sslenabled= "true" Clientauth= "false"
            keystorefile= "/users/beiyan/documents/test/ Server.keystore "
            keystorepass=" 123456 "maxthreads=" "port=" 8443 "protocol=
            " Org.apache.coyote.http11.Http11NioProtocol "Scheme=" https "
            secure=" true "sslprotocol=" TLS "/>

Where Keystorefile is the address of the certificate, Keystorepass is the password for the certificate.

The access interface is as follows:

Import the CER file, let the browser trust this certificate double-click Ca.cer to import, then set to always trust, access again
Application Access If you use tools such as httpclient to access the HTTPS connection, you need to speak ca.cer import the JRE;
The command is as follows: Keytool-import-alias tomcatsso-file "Ca.cer"-keystore "/library/java/javavirtualmachines/jdk1.8.0_111.jdk/ Contents/home/jre/lib/security/cacerts "-storepass 123456
Where/library/java/javavirtualmachines/jdk1.8.0_111.jdk/contents/home/jre is the JRE directory 123456 is the default password for the JRE
2. Bidirectional HTTPS configuration To generate a server-side certificate:

sudo keytool-genkey-keyalg rsa-dname "CN=LOCALHOST,OU=NONE,O=NONE,L=SHANGHAI,ST=SHANGHAI,C=CN"-alias server- Keypass 123456-keystore server.keystore-storepass 123456-validity 3650

To generate a client certificate:Here the client is the browser, the browser supports a certificate format of PKCS12, where the certificate is generated in PKCS12 format:

sudo keytool-genkey-v-alias client-keyalg rsa-storetype pkcs12-dname "Cn=localhost,ou=none,o=none,l=shanghai,st=sha NGHAI,C=CN "  -keypass 123456-storepass 123456-keystore client.p12-validity 3650

let the server trust the client's certificateBecause it is two-way authentication, the server must verify the identity of the client, so the client's public key needs to be imported into the server-side trust list, but the generated PKCS12 file cannot be imported directly, so the pilot out into a CER file, and then import the CER file into the certificate Library of the server.
1. Export the client certificate as a separate CER file

sudo keytool-export-alias client-keystore client.p12-storetype pkcs12-storepass 123456-rfc-file client.cer

2. Import the CER file into the certificate library on the server side

sudo keytool-import-v-file client.cer-keystore server.keystore

3. Check the list of certificates inside Server.keystore:

sudo keytool-list-keystore server.keystore

As you can see, the certificate library contains two certificates, one is the private key of the server, one is the client's trusted public key, the client trusts the server certificate client also needs to verify the service side certificate is reliable, so also need to import the public key of the server side certificate to the client's trust list. It is common practice to export the server certificate as a separate CER file, and then double-click the list of certificates installed in the browser.

sudo keytool-keystore server.keystore-export-alias server-file server.cer-validity 36500

the list of all generated certificates is as follows:

Client.cer: The public key of the client certificate
CLIENT.P12: Private key of the client certificate
Server.cer: Public key of the server-side certificate
Server.keystore: Server-side certificate library that contains both the server-side private key and the client public key modification Tomcat configuration:

Add the following configuration in Serve.xml

<connector sslenabled= "true" Clientauth= "true"
            keystorefile= "/users/beiyan/documents/test/keytool/ Server.keystore "
            truststorefile="/users/beiyan/documents/test/keytool/server.keystore "
            truststorePass= "123456" keystorepass= "123456" maxthreads= "port=" 8443 "protocol="
            Org.apache.coyote.http11.Http11NioProtocol "Scheme=" https "
            secure=" true "sslprotocol=" TLS "/>

Clientauth= "true" means two-way authentication

Client Installation private keyDouble-click Client.p12 to install

Note (here is how the Mac is set up, window is similar, double-click into the installation interface) Client Installation Server public key double-click the Server.cer file, set ibid.

Successful access:

Pop-up client certificate selection interface, select Client certificate, and then normal access

Select the Certificate interface



3, jks,keystore,trustore,cer,pfx and other noun description Zhuan (transferred from the network)

Note: This is going from the network, the network location is too many uncertain source address

Key:
The public key + private key collectively.

Key pairs:
The Public key (certificate) and the private key exist in pairs. Each side of the communication holds its own private key and the other's public key. Your private key needs to be closely guarded while the public key is publicly available to each other. Under Windows, a separate public key is typically a file with a. cer suffix

A encrypts the data with its own private key, and sends the b,b to decrypt it with the public key provided by a. Similarly b encrypts the data with its own private key and sends it to a, which is solved with the public key of B.

Two uses of a public key:
1. Verify the identity of the other person: prevent others from impersonating each other to send you data.
2. Decrypt.
Two uses of the private key:
1. Identify yourself: Unless a third party has your private key, you cannot impersonate you to send data to the other person.
2. Encryption.

JKS (Java key Store):
A container for storing keys for Java. can accommodate n public or private keys at the same time, the suffix is generally. jks or. KeyStore or. Truststore, etc., all strange. No matter what suffix it is, it is a container, and companies or organizations have different names. For example, a container containing only "trusted public keys" is stored as a. truststore file.
Use the Jdk\bin directory Keytool.exe to view, import, export, delete, change password and other operations. You can add a password to the JKS container and enter it correctly to manipulate the key in this container. The concept of a password is different from the previous one, is the password of the private key stored in the JKS, is usually top secret.

pFX
The PFX is used by the browser, and the JKS function is the same, but the file format is different.
You can use some tool programs to convert PFX to JKS format for Java programs (such as the bank only provides PFX, but we want to use httpclient to simulate the browser when automatically accessed). It is said that IE exported PFX format is not standard, conversion jks often error, you can try to import and export Netscape Navigator, and then convert. Have encountered such a situation.

Access to several common HTTPS systems. The HTTPS protocol data is encrypted and transmitted to prevent third-party eavesdropping, impersonation, and tampering.
1. No user is required to do any action, such as https://www.verisign.com/
This is because the public key is legitimate (the public key is issued by a trusted authority, matches the actual domain name, and does not expire). You can view the public key information by right-clicking in the white space when accessing with IE.
The 2.https page will pop up the public key confirmation prompt
Public key is not valid (not trusted authority issued, and actual domain name does not match, has expired), but the user point "yes" means ignore the danger, continue to access.
3. You need to pour a file into the browser to access the
In general, such as bank online transactions, such as the need for security, the station (bank) needs to verify the visitor identity (if you want to confirm that must be registered online banking merchants), you need to import a PFX file containing the guest private key in the browser.

Generate JKS:
If the bank does not provide JKS file reconciliation, you need to generate the JKS
for the class HTTPS Web site, if the Java program Access to this address in the JRE default Truststore can not find the issuer of the peer certificate, will throw a security exception. Therefore, the station public key should be stored in a JKS and set in the environment variable, indicating that the public key in this library is trusted for normal access.
I use the ready-made Make_jks tool class to read the HTTPS://XXXX address in the program, the program automatically grabs the bank public key and into a JKs file.
When viewing the station's public key in a browser, export the public key (typically the CER suffix), and then manually import the CER into a jks with Keytool.exe. I haven't tried.
The above 1, 2 classes of HTTPS Web sites, only use the public key "verify the identity of the other" function. For the 3rd HTTPS site, you can also find a ready-made program to turn PFX directly into JKS. Since the use of PFX, it is generally used for the two purposes of the public key and the private key two uses all together