JDK1.7, tomcat 7.0.39, and openssl installation 0.9.8
Operating System win7
Command line:
1. Generate the CA private key and self-Signed root certificate
① Generate the CA private key
Openssl genrsa-out F: \ CA \ ca-key.pem 1024
② Generate the root certificate to be signed
Openssl req-new-x509-keyout F: \ CA \ ca-key.pem-out F: \ CA \ ca-req.csr-config openssl. cnf
③ Use the CA private key to self-sign the root certificate
Openssl x509-req-in F: \ CA \ ca-req.csr-out F: \ CA \ ca-cert.pem-signkey F: \ CA \ ca-key.pem-days 365
2. Generate a server certificate
① Generate KeyPair. It is recommended that keyPass be the same as storePass for convenience.
Keytool-genkey-alias ying-validity 365-keyalg RSA-keysize 1024-keypass yingedevil-storepass yingedevil-dname "cn = localhost, ou = department, o = company, l = Beijing, st = Beijing, c = CN "-keystore F: \ CA \ ying. jks
② Generate the certificate to be signed
Keytool-certreq-alias ying-sigalg MD5withRSA-file F: \ CA \ ying. csr-keypass yingedevil-keystore F: \ CA \ ying. jks-storepass yingedevil
③ Use the CA private key for signature
Openssl x509-req-in F: \ CA \ ying. csr-out F: \ CA \ ying-cert.pem-ca f: \ CA \ ca-cert.pem-CAkey F: \ CA \ ca-key.pem-days 365-set_serial 1
3. Import the trusted CA root certificate to the default java location % JAVA_HOME % \ jre \ lib \ security \ cacerts
Keytool-import-v-trustcacerts-storepass changeit-alias root_ying-file F: \ CA \ ca-cert.pem-keystore % JAVA_HOME % \ jre \ lib \ security \ cacerts
4. Import the server certificate signed by the CA to the keystore
Keytool-import-v-trustcacerts-storepass yingedevil-alias ying-file F: \ CA \ ying-cert.pem-keystore F: \ CA \ ying. jks
5. view the keystore on the server and the JDK
Keytool-list-keystore "% JAVA_HOME % \ jre \ lib \ security \ cacerts"
6. On the Tomcat server side, add the following configuration in conf/server. xml:
<Connection port = "443"
Protocol = "HTTP/1.1" SSLEnabled = "true"
AcceptCount = "100" scheme = "https" secure = "true"
ClientAuth = "false" sslProtocol = "TLS"
SSLCertificateFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ca-cert.cer"
SSLCertificateKeyFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ca-key.pem"
KeystoreFile = "F: \ server \ apache-tomcat-7.0.39 \ conf \ ying. jks"
KeystorePass = "yingedevil"/>
Finally, ying. jks, ca-cert.cer (original is ca-cert.pem ,. the pem file is ASCII encoded and the file format is changed. cer), The ca-key.pem of three files to copy to the server conf.
Convert java keystore file to p12 format:
Keytool-importkeystore-srckeystore ying. jks-destkeystore ying. p12-srcstoretype JKS-deststoretype PKCS12-Zookeeper-srcalias ying-policying-Zookeeper-destkeypass encryption-Encryption
7. Configure the web. xml file in the server network program (Add the following section) to automatically convert the http protocol to https access.
<Login-config>
<! -- Authorization setting for SSL -->
<Auth-method> CLIENT-CERT </auth-method>
<Realm-name> Client Cert Users-only Area </realm-name>
</Login-config>
<Security-constraint>
<! -- Authorization setting for SSL -->
<Web-resource-collection>
<Web-resource-name> SSL </web-resource-name>
<Url-pattern>/* </url-pattern>
</Web-resource-collection>
<User-data-constraint>
<Transport-guarantee> CONFIDENTIAL </transport-guarantee>
</User-data-constraint>
</Security-constraint>
See Official Document http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
To create openssl. conf, refer to: http://www.openssl.org/docs/apps/req.html#EXAMPLES
References
Http://zhumeng8337797.blog.163.com/blog/static/100768914201241645258903/
Http://yushan.iteye.com/blog/434955
Http://www.albertsong.com/read-99.html