Keytool+tomcat Configuring HTTPS Bidirectional certificate authentication

System Requirements:

1. Windows system or Linux system

2. Install and configure the JDK 1.6.0_13

3. Installing and configuring Tomcat 6.0

One, server certificate

1. Create the certificate store Directory "D:\home", "Run" console, enter the%java_home%/bin directory, use Keytool to generate a certificate for Tomcat, assuming the target machine's domain name is "localhost", keystore file is stored in "D:\home \tomcat.keystore ", Password is" password ", use the following command to generate:

Keytool-genkey-v-alias tomcat-keyalg rsa-keystore D:\home\tomcat.keystore-validity 36500

(A brief description of the parameter: "D:\home\tomcat.keystore" means to save the path to the certificate file, the certificate file name is Tomcat.keystore; "-validity 36500" means the certificate validity period, 36500 means 100 years,

Default value is 90 days)

2. Fill in the necessary parameters at the command line:

A, enter KeyStore password: here need to enter a string greater than 6 characters, password we unified use "123456",

B, "What is your first and last name?" "This is required and must be the domain name of the Tomcat deployment host or ip[, such as: Gbcom.com or 10.1.25.251] (which is the access address you will enter in the browser), or the browser will pop up a warning window prompting the user certificate to not match the domain in which it resides. When you do the development test locally, you should fill in "localhost". Our first and last names must be written as "localhost xxxxxxxxxxxxxxxxxx", where "X" is the only sign

C, "What is your organizational unit name?" "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the two-letter country code for this unit? "Can be filled in as needed or can not fill in the direct return, the system asked" correct? , enter the letter "Y" with the keyboard if required, otherwise enter "n" to re-fill the information

D, enter <tomcat> master password, this is more important, will be used in the Tomcat configuration file, the recommended input and KeyStore password consistent, set other password can also

3. After completing the above input, the direct carriage return will locate the generated file in the location you defined in the second step, indicating that the server certificate was successfully generated

Second, the client certificate

1. Generate a certificate for your browser so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:

Keytool-genkey-v-alias mykey-keyalg rsa-storetype pkcs12-keystore D:\home\mykey.p12

2. The corresponding certificate inventory is placed in "D:\HOME\MYKEY.P12", the client's CN can be any value. Double-click the Mykey.p12 file to import the certificate into the browser (client).

　　

Third, let the server trust the client certificate

1. Because you cannot directly import a certificate library in the PKCS12 format, you must first export the client certificate as a separate CER file, using the following command: Keytool-export-alias mykey-keystore D:\HOME\MYKEY.P12- Storetype Pkcs12-storepass Password-rfc-file D:\home\mykey.cer
2. The client certificate was exported to the "D:\home\mykey.cer" file. The next step is to import the file into the certificate Library of the server and add it as a Trust certificate: keytool-import-v-file D:\home\mykey.cer-keystore D:\home\tomcat.keystore

3 with the List command to view the server's certificate library, you can see two certificates, one server certificate and one trusted client certificate:

Keytool-list-keystore D:\home\tomcat.keystore

Four, let the client trust the server certificate

• 1. Because it is a two-way SSL authentication, the client also verifies the server certificate, so the server certificate must be added to the Browse Trusted root certification authorities. Because you cannot directly import a certificate library in the KeyStore format, you must first export the server certificate as a separate CER file, using the following command:

Keytool-keystore D:\home\tomcat.keystore-export-alias Tomcat-file D:\home\tomcat.cer

V. Configuring the Tomcat Server

C:\java\apache-tomcat-7.0.69\conf\server.xml

Property Description:

• • ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication
  • Keystorefile: Server certificate file path
  • Keystorepass: Server certificate Password
  • Truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate
  • Truststorepass: Root certificate Password

VI. Testing

In the browser input: https://localhost:8443/, will pop-up select the client certificate interface, click "OK", will enter the Tomcat homepage, the address bar will have a "lock" icon, indicating that the session has been authenticated through HTTPS two-way, The information transmitted during the next session is encrypted with SSL information.

　　

Reference Links:

79191930

7599969

Https://www.cnblogs.com/SirSmith/p/4996392.html

Keytool+tomcat Configuring HTTPS Bidirectional certificate authentication