From: http://blog.csdn.net/aking21alinjuju/article/details/7654097
I. Generate a CA certificate
Currently, the CA of a third-party authority is not used for authentication and serves as the CA.
Prerequisites: Download www.openssl.org from the OpenSSL official website to install OpenSSL [Windows and Linux are different]
Start generating certificates and keys
If no environment variable is configured, enter the bin directory of OpenSSL to execute the command, for example, C:/OpenSSL/bin.
If only environment variables are configured, You can execute
Before executing the command, create two directories: Ca and server.
1. Create a private key:
C:/OpenSSL/bin> OpenSSL genrsa-out Ca/ca-key.pem 1024
2. Create a certificate request:
C:/OpenSSL/bin> OpenSSL req-New-out Ca/ca-req.csr-key Ca/ca-key.pem
-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: Zhejiang
Locality name (eg, city) []: Hangzhou
Organization Name (eg, company) [Internet widgits Pty Ltd]: skyvision
Organizational unit name (eg, section) []: Test
Common name (eg, your name) []: Root
Email Address []: sky
3. Self-signed certificate:
C:/OpenSSL/bin> OpenSSL X509-req-in Ca/ca-req.csr-out Ca/ca-cert.pem-signkey Ca/ca-key.pem-days 3650
4. Export the certificate to the. p12 format supported by the browser: (skipped if not required)
C:/OpenSSL/bin> OpenSSL PKCS12-export-clcerts-in Ca/ca-cert.pem-inkey Ca/ca-key.pem-out Ca/CA. p12
Password: changeit
Ii. Generate the server certificate.
1. Create a private key:
C:/OpenSSL/bin> OpenSSL genrsa-out server/server-key.pem 1024
2. Create a certificate request:
C:/OpenSSL/bin> OpenSSL req-New-out server/server-req.csr-Key Server/server-key.pem
-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: Zhejiang
Locality name (eg, city) []: Hangzhou
Organization Name (eg, company) [Internet widgits Pty Ltd]: skyvision
Organizational unit name (eg, section) []: Test
Common name (eg, your name) []: 192.168.1.246 Note: Be sure to write the IP address of the server
Email Address []: sky
3. Self-signed certificate:
C: /OpenSSL/bin> OpenSSL X509-req-in server/server-req.csr-out server/server-cert.pem-signkey server/server-key.pem-ca/ca-cert.pem-Cakey Ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to the. p12 format supported by the browser:
C:/OpenSSL/bin> OpenSSL PKCS12-export-clcerts-in server/server-cert.pem-inkey server/server-key.pem-out server/server. p12
Password: changeit
3. Generate a client certificate.
1. Create a private key:
C:/OpenSSL/bin> OpenSSL genrsa-out client/client-key.pem 1024
2. Create a certificate request:
C:/OpenSSL/bin> OpenSSL req-New-out client/client-req.csr-Key Client/client-key.pem
-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: Zhejiang
Locality name (eg, city) []: Hangzhou
Organization Name (eg, company) [Internet widgits Pty Ltd]: skyvision
Organizational unit name (eg, section) []: Test
Common name (eg, your name) []: sky
Email Address []: sky Note: it refers to the user logging on to the center (the username should be the common name, but the Zhongshan Public Security Team does not know why the email address is used, and other versions are not tested)
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: 123456
An optional company name []: Tsing
3. Self-signed certificate:
C: /OpenSSL/bin> OpenSSL X509-req-in client/client-req.csr-out client/client-cert.pem-signkey client/client-key.pem-ca/ca-cert.pem-Cakey Ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to the. p12 format supported by the browser:
C:/OpenSSL/bin> OpenSSL PKCS12-export-clcerts-in client/client-cert.pem-inkey client/client-key.pem-out client/client. p12
Password: changeit
4. Generate a jks File Based on the CA certificate
C:/Java/jdk1.5.0 _ 09/bin> keytool-keystore C:/OpenSSL/bin/jks/truststore. jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file C:/OpenSSL/bin/CA/ca-cert.pem
5. Configure Tomcat SSL
Modify CONF/server. xml. The sslenabled = "true" attribute is added to Tomcat 6. Keystorefile and truststorefile are set to the correct path.
XML Code
Tomcat 5.5 Configuration:
<Connector Port = "8443" maxhttpheadersize = "8192"
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" Scheme = "HTTPS" secure = "true"
Clientauth = "true" sslprotocol = "TLS"
Keystorefile = "server. p12" keystorepass = "changeit" keystoretype = "PKCS12"
Truststorefile = "truststore. jks" truststorepass = "222222" truststoretype = "jks"/>
Tomcat6.0 Configuration:
<Connector Port = "8443" protocol = "HTTP/1.1" sslenabled = "true"
Maxthreads = "150" Scheme = "HTTPS" secure = "true"
Clientauth = "true" sslprotocol = "TLS"
Keystorefile = "server. p12" keystorepass = "changeit" keystoretype = "PKCS12"
Truststorefile = "truststore. jks" truststorepass = "222222" truststoretype = "jks"/>
6. Import Certificates
Import ca. p12 and client. p12 to IE respectively (enable IE>; Internet option> content> certificate ).
CA. p12 import to Trusted Root Certificate Authority, client. p12 import to individual
7. Verify that the SSL configuration correctly accesses your application http: // ip: 8443/. If the configuration is correct, a dialog box requesting your digital certificate will appear.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.