HTTPS is often used in our development of communication encryption technology, can effectively protect our network access security, this article mainly explains the configuration of one-way and two-way https. About the implementation of the principle of HTTPS here I will not repeat, attached to the Nanyi teacher about the https introduction of several blogs, interested in children's shoes can take a look: the schematic of the SSL/TLS protocol digital signature is?
This article directory:
1. One-way HTTPS configuration
2. Bidirectional HTTPS configuration
3, Common noun description (reprint)
1. One-way HTTPS configuration
- Generate HTTPS certificate command:
sudo keytool-genkey-keyalg rsa-dname " CN=LOCALHOST,OU=NONE,O=NONE,L=SHANGHAI,ST=SHANGHAI,C=CN " -alias server-keypass 123456 -keystore server.keystore-storepass 123456 -validity 3650
- Generate a CSR file This article just generates a self-signed HTTPS certificate, and if you need to request a CA certificate, you need to generate a CSR file and submit the file to the appropriate CA authority to request a CA certificate.
123456
- Generate a CER file
Because the certificates we generate are generated using Keytool and are not issued by a CA that is trusted by the operating system, untrusted certificate warnings appear when accessed with a browser, and we manually import the CER file (the service-side public key) into the browser's list of certificates for trust.
123456
- Configuring an HTTPS certificate in Tomcat
You can access the HTTPS site by adding the following configuration in the Serve.xml.
<Connectorsslenabled= "true"ClientAuth= "false"Keystorefile= "/users/beiyan/documents/test/server.keystore"Keystorepass= "123456"MaxThreads= "Max"Port= "8443"Protocol= "Org.apache.coyote.http11.Http11NioProtocol"Scheme= "https"Secure= "true"Sslprotocol= "TLS" />
Where Keystorefile is the address of the certificate, Keystorepass is the password for the certificate.
The access interface is as follows:
- Import the CER file, let the browser trust this certificate double-click Ca.cer to import, then set to always trust, access again
- Application access If you use tools such as httpclient to access the HTTPS connection, you need to speak ca.cer import the JRE;
The command is as follows: Keytool-import-alias tomcatsso-file "Ca.cer"-keystore "/library/java/javavirtualmachines/jdk1.8.0_111. jdk/contents/home/jre/lib/security/cacerts "-storepass 123456
Where/library/java/javavirtualmachines/jdk1.8.0_111.jdk/contents/home/jre is the JRE directory 123456 is the default password for the JRE
2. Bidirectional HTTPS configuration
- To generate a server-side certificate:
" CN=LOCALHOST,OU=NONE,O=NONE,L=SHANGHAI,ST=SHANGHAI,C=CN " 123456 123456 3650
- Generate client Certificate: Here the client is the browser, the browser supports the certificate format PKCS12, where the certificate is generated in PKCS12 format:
" CN=LOCALHOST,OU=NONE,O=NONE,L=SHANGHAI,ST=SHANGHAI,C=CN " 123456 123456 3650
- Let the server trust client's certificate because it is two-way authentication, the server must verify the identity of the client, so the client's public key needs to be imported to the server-side trust list, but the generated PKCS12 file cannot be imported directly, so the pilot out into a CER file, and then import the CER file into the certificate Library of the server.
1. Export the client certificate as a separate CER file
123456 -rfc-file client.cer
2. Import the CER file into the certificate library on the server side
sudo keytool-import-v-file client.cer-keystore server.keystore
3. Check the list of certificates inside Server.keystore:
sudo keytool-list-keystore server.keystore
As you can see, the certificate library contains two certificates, one is the private key of the server, and the other is the trusted public key of the client.
- Having the client trust the server-side certificate client also needs to verify that the server-side certificate is reliable, so it is also necessary to import the public key of the server-side certificate into the client's trust list. It is common practice to export the server certificate as a separate CER file, and then double-click the list of certificates installed in the browser.
36500
- The list of all generated certificates is as follows:
Client.cer: The public key of the client certificate
CLIENT.P12: Private key of the client certificate
Server.cer: Public key of the server-side certificate
Server.keystore: Server-side certificate library that contains both the server-side private key and the client public key
- To modify the Tomcat configuration:
Add the following configuration in Serve.xml
<Connectorsslenabled= "true"ClientAuth= "true"Keystorefile= "/users/beiyan/documents/test/keytool/server.keystore"Truststorefile= "/users/beiyan/documents/test/keytool/server.keystore"Truststorepass= "123456"Keystorepass= "123456"MaxThreads= "Max"Port= "8443"Protocol= "Org.apache.coyote.http11.Http11NioProtocol"Scheme= "https"Secure= "true"Sslprotocol= "TLS" />
Clientauth= "true" means two-way authentication
- Client Installation private key double-click Client.p12 to install
Note (here is how the Mac is set up, window is similar, double-click into the installation screen)
- Client Installation Server Public key double-click the Server.cer file, set the ibid.
- Successful access:
Pop-up client certificate selection interface, select Client certificate, and then normal access
Select the certificate interface
3, jks,keystore,trustore,cer,pfx and other noun description Zhuan (transferred from the network)
Note: This is going from the network, the network location is too many uncertain source address
Key:
The public key + private key collectively.
Key pairs:
The Public key (certificate) and the private key exist in pairs. Each side of the communication holds its own private key and the other's public key. Your private key needs to be closely guarded while the public key is publicly available to each other. Under Windows, a separate public key is typically a file with a. cer suffix
A encrypts the data with its own private key, and sends the b,b to decrypt it with the public key provided by a. Similarly b encrypts the data with its own private key and sends it to a, which is solved with the public key of B.
Two uses of a public key:
1. Verify the identity of the other person: prevent others from impersonating each other to send you data.
2. Decrypt.
Two uses of the private key:
1. Identify yourself: Unless a third party has your private key, you cannot impersonate you to send data to the other person.
2. Encryption.
JKs (Java key Store):
A container for storing keys for Java. can accommodate n public or private keys at the same time, the suffix is generally. jks or. KeyStore or. Truststore, etc., all strange. No matter what suffix it is, it is a container, and companies or organizations have different names. For example, a container containing only "trusted public keys" is stored as a. truststore file.
Use the Jdk\bin directory Keytool.exe to view, import, export, delete, change password and other operations. You can add a password to the JKS container and enter it correctly to manipulate the key in this container. The concept of a password is different from the previous one, is the password of the private key stored in the JKS, is usually top secret.
PFX:
The PFX is used by the browser, and the JKS function is the same, but the file format is different.
You can use some tool programs to convert PFX to JKS format for Java programs (such as the bank only provides PFX, but we want to use httpclient to simulate the browser when automatically accessed). It is said that IE exported PFX format is not standard, conversion jks often error, you can try to import and export Netscape Navigator, and then convert. Have encountered such a situation.
Access to several common HTTPS systems. The HTTPS protocol data is encrypted and transmitted to prevent third-party eavesdropping, impersonation, and tampering.
1. No user is required to do any action, such as https://www.verisign.com/
This is because the public key is legitimate (the public key is issued by a trusted authority, matches the actual domain name, and does not expire). You can view the public key information by right-clicking in the white space when accessing with IE.
The 2.https page will pop up the public key confirmation prompt
Public key is not valid (not trusted authority issued, and actual domain name does not match, has expired), but the user point "yes" means ignore the danger, continue to access.
3. You need to pour a file into the browser to access the
In general, such as bank online transactions, such as the need for security, the station (bank) needs to verify the visitor identity (if you want to confirm that must be registered online banking merchants), you need to import a PFX file containing the guest private key in the browser.
Generate JKS:
You need to generate your own JKS if the bank does not provide JKS files.
For a class HTTPS Web site, a security exception is thrown if a Java program accesses this address when the issuing authority for the peer certificate is not found in the default Truststore of the JRE. Therefore, the station public key should be stored in a JKS and set in the environment variable, indicating that the public key in this library is trusted for normal access.
I am using the ready-made Make_jks tool class to read the HTTPS://XXXX address in the program, the program automatically grabs the bank public key and into a JKs file.
When viewing the station's public key in a browser, export the public key (typically the CER suffix), and then manually import the CER into a jks with Keytool.exe. I haven't tried.
The above 1, 2 types of HTTPS Web sites, only use the public key "verify the identity of the other" function. For the 3rd HTTPS site, you can also find a ready-made program to turn PFX directly into JKS. Since the use of PFX, it is generally used for two of the public key and two uses of the private key.
HTTPS one-way authentication and two-way authentication configuration