Ssl/https configuration of two-way authentication and certificate library generation

1.SSL Certification

No special configuration required, relevant certificate library generated to see the relevant parts of HTTPS authentication

2.HTTPS Certification

First, the basic concept

1. One-way authentication is that the transmitted data is encrypted, but the source of the client is not verified
2. Two-way authentication, if the client browser does not import the client certificate, is not able to access the Web system, cannot find the address
If it's just encryption, I feel a one-way line.
If the person who wants to use the system cannot access the system without a certificate, it uses two-way

Second, the server configuration:

Open/conf/server.xml Modify Server.xml under the Tomcat root directory

The client certificate registration name must be the same as the domain name, otherwise it cannot be verified.

For example, Access https://127.0.0.1:8443/Test must use a certificate named 127.0.0.1 .

Access https://hepengfei:8443/Test must use a certificate named Hepengfei .

Domain name resolution modification file in this machine is c:/windows/system32/drivers/etc/hosts

Change the port number to 8443 and access the https://127.0.0.1:8443/Test for the custom port

The port number is changed to 443, then the default port is Access Https://127.0.0.1/Test

Clientauth= "True" for bidirectional authentication clientauth= "false" for one-way authentication

Use KeyStore files and passwords (certificates that you use)

Trust KeyStore files and passwords (containing client certificates or their root certificates)

<= "" 1.1? Sslenabled= "true" >maxthreads= "scheme=" "https" secure= "true"

Clientauth= "true" sslprotocol= "TLS"

Keystorefile= "C:/java/tomcat/conf/keystore/server" keystorepass= "080302"

Truststorefile= "C:/java/tomcat/conf/keystoreserver/trust" truststorepass= "080302"

/>

III, the certificate is generated as follows:
Ensure that the folder exists before executing the command. For example: Set up KeyStore folder in C disk
First step: Generate certificate   for server;

Determine the domain name: The local domain name resolution modification file is C:/WINDOWS/SYSTEM32/DRIVERS/ETC/HOSTS
using the Span style= "font-family: ' Times New Roman '; margin:0px; padding:0px ">KEYTOOL&NBSP; generates certificates and KeyStore for  Tomcat , assuming the domain name of the target machine is " &NBSP; hepengfei  ", keystore  file is stored in"  C:/keystoreserver  ", Password is"  080302  ", command as follows: &NBSP;
keytool -genkey -v  -keystore C:/keystoreserver -alias serverkey -keyalg RSA -validity  3650 -dname  "CN=HEPENGFEI,OU=CN,O=CN,L=CN,ST=CN,C=CN"  -storepass 080302 -keypass  080302   

Build Server.cer installed on the client to resolve the server trust issue:

Keytool-export-keystore C:/keystoreserver-alias serverkey-file C:/keystoreserver.cer-storepass 080302

Step two: Generate a certificate for the client

(Note: The generation and use of personal certificates is very special, is separate.) Mr. Cheng P12 file, then export the CER file, and then import the CER file into the default type of KeyStore (JKS) file)
This step is to generate a certificate for the browser so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:
Keytool-genkey-v-keystore c:/keystoreuser.p12-alias mypc-keyalg rsa-storetype pkcs12-validity 3650-dname "CN=MyPC, OU=CN,O=CN,L=CN,ST=CN,C=CN "-storepass 080302-keypass 080302

To trust the client certificate, the server must add the client certificate as the server's trust authentication. Since the PKCS12 format certificate library cannot be imported directly, we must first export the client certificate as a separate CER file, using the following command:

Keytool-export-alias mypc-keystore c:/keystoreuser.p12-storetype pkcs12-storepass 080302-rfc-file C:/keystoreuser.c Er

Next, import the C:user.cer to the server's certificate store and add it as a trust certificate:

Keytool-import-v-file c:/keystoreuser.cer-keystore C:/keystoreservertrust-alias user-storepass 080302

Keytool-import-v-file c:keystoreuser.cer-keystore C:keystoreservertrust-alias user-storepass 080302

Enter "Yes" to confirm the completion.
View by the List command:
Keytool-list-keystore C:/keystore/servertrust-storepass 080302

You may also consider placing the server certificate and the server trust certificate in a KeyStore

Fourth step: Configure the Tomcat server

Open the/conf/server.xml under the Tomcat root directory and modify the following:

<= "" 1.1? Sslenabled= "true" >maxthreads= "scheme=" "https" secure= "true"

Clientauth= "true" sslprotocol= "TLS"

Keystorefile= "C:/java/tomcat/conf/keystoreserver" keystorepass= "080302"

Truststorefile= "C:/javatomcat/conf/keystore/servertrust" truststorepass= "080302"

/>

Detailed explanations are described in this section.

Install Personal certificate user.p12 (password: 080302) and server certificate Server.cer
Start Tomcat here, enter Https://hepengfei:8443/Test, and it's OK.

If the digital certificate registration name is not a 127.0.0.1, but a corresponding Hepengfei,

Use IP access (https://127.0.0.1:8443/Test) to enter the Select Digital certificate interface (emulation format):

Select a digital certificate

Name issuer

MyPC MyPC

More Information View certificates

OK cancel

Note the point:

Keytool-list-v-keystore User

Use the library to Privatekeyentry

Trust the library to Trustedcertentry

Convertkeystoretype.java for converting KeyStore types (PKCS12 and JKS format Certificate Library conversion tools)

SSL uses four of these KeyStore

HTTPS uses server, Servertrust, USER.P12 ( installed to local computer ), Server.cer Four

Ssl/https configuration of two-way authentication and certificate library generation