Using OpenSSL generation under Windows | Procedures for CA certificates
One: Generate CA Certificate
Currently does not use a third-party authoritative CA to authenticate itself as a CA role.
Download a OpenSSL software online
1. Create the private key:
C:\openssl\bin>openssl Genrsa-out CA/CA-KEY.PEM 1024
2. Create a certificate request:
C:\openssl\bin>openssl req-new-out Ca/ca-req.csr-key ca/ca-key.pem-config d:\openssl\openssl.cnf
-----
Country Name (2 letter code) [AU]:CN
State or province name (full name) [Some-state]:shanghai
Locality Name (eg, city) []:p Udong
Organization Name (eg, company) [Internet widgits Pty Ltd]:huro
Organizational Unit Name (eg, section) []:www.huro.cn
Common name (eg, YOUR name) []:huro coporation
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []: 100200
3. Self-Signed certificate:
C:\openssl\bin>openssl x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 3650
4. Export the certificate to a browser-supported. P12 Format:
C:\openssl\bin>openssl pkcs12-export-clcerts-in Ca/ca-cert.pem-inkey ca/ca-key.pem-out ca/ca.p12
Password: Changeit
Two. Generate the server certificate.
1. Create the private key:
C:\openssl\bin>openssl Genrsa-out SERVER/SERVER-KEY.PEM 1024
2. Create a certificate request:
C:\openssl\bin>openssl req-new-out Server/server-req.csr-key server/server-key.pem-config d:\openssl\ Openssl.cnf
-----
Country Name (2 letter code) [AU]:CN
State or province name (full name) [Some-state]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet widgits Pty ltd]:skyvision
Organizational Unit Name (eg, section) []:test
Common name (eg, YOUR name) []:192.168.1.246 Note: Be sure to write the IP address where the server resides
Email Address []:sky
3. Self-Signed certificate:
C:\openssl\bin>openssl x509-req-in server/server-req.csr-out Server/server-cert.pem-signkey server/ Server-key.pem-ca Ca/ca-cert.pem-cakey ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to a browser-supported. P12 Format:
C:\openssl\bin>openssl pkcs12-export-clcerts-in Server/server-cert.pem-inkey server/server-key.pem-out server/ Server.p12
Password: Changeit
Three. Generate the client certificate.
1. Create the private key:
C:\openssl\bin>openssl Genrsa-out CLIENT/CLIENT-KEY.PEM 1024
2 using OpenSSL generation under Windows | Procedures for CA certificates
2. Create a certificate request:
C:\openssl\bin>openssl req-new-out Client/client-req.csr-key client/client-key.pem-config d:\openssl\ Openssl.cnf
-----
Country Name (2 letter code) [AU]:CN
State or province name (full name) [Some-state]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet widgits Pty ltd]:skyvision
Organizational Unit Name (eg, section) []:test
Common name (eg, YOUR name) []:sky
Email Address []:sky
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:123456
An optional company name []:tsing
3. Self-Signed certificate:
C:\openssl\bin>openssl x509-req-in client/client-req.csr-out Client/client-cert.pem-signkey client/ Client-key.pem-ca Ca/ca-cert.pem-cakey ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to a browser-supported. P12 Format:
C:\openssl\bin>openssl pkcs12-export-clcerts-in Client/client-cert.pem-inkey client/client-key.pem-out client/ Client.p12
Password: Changeit
Four. Generate JKs files based on CA certificate
C:\Java\jdk1.5.0_09\bin > Keytool-keystore jks/truststore.jks-keypass 222222-storepass 222222-alias Ca-import-tru Stcacerts-file Ca/ca-cert.pem
Five. Configure Tomcat SSL
Modify the Conf/server.xml. The sslenabled= "true" property is more than Tomcat6. Keystorefile, Truststorefile is set to your correct related path
XML code
Configuration of Tomcat 5.5:
<connector port= "8443" maxhttpheadersize= "8192"
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" disableuploadtimeout= "true"
Acceptcount= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "SERVER.P12" keystorepass= "Changeit" keystoretype= "PKCS12"
Truststorefile= "Truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>
Configuration of the tomcat6.0:
<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "SERVER.P12" keystorepass= "Changeit" keystoretype= "PKCS12"
Truststorefile= "Truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>
Six. Import the certificate
Import the CA.P12,CLIENT.P12 into IE (Open the certificate, ie->;internet options, content).
CA.P12 Import to a trusted root certification authority, CLIENT.P12 import to a personal
Installation steps for security certificates