First, prepare the environment
Build platform: linux+apache-tomcat-7.0.35.tar.gz
Ii. Generating CA certificates
To create a directory:
#mkdir CA Client Server
Currently does not use a third-party authoritative CA to authenticate itself as a CA role.
2.1 Creating a private key
#openssl Genrsa-out CA/CA-KEY.PEM 1024
2.2 Creating a certificate Request
#openssl req-new-out Ca/ca-req.csr-key Ca/ca-key.pem
-----
Country Name (2 letter code) [AU]:CN
State or province name (full name) [SOME-STATE]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet widgits Pty LTD]:TB
Organizational Unit Name (eg, section) []:TB
Common name (eg, YOUR name) []:CA
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:
2.3 Self-signed certificate
# OpenSSL x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 3650
2.4 Export the certificate to a browser-supported. P12 format
# OpenSSL pkcs12-export-clcerts-in ca/ca-cert.pem-inkey ca/ca-key.pem-out ca/ca.p12
Password: 123456
Iii. Generating the server certificate
3.1 Creating a private key
#openssl Genrsa-out SERVER/SERVER-KEY.PEM 1024
3.2 Creating a certificate Request
#openssl req-new-out Server/server-req.csr-key Server/server-key.pem
-----
Country Name (2 letter code) [AU]:CN
State or province name (full name) [SOME-STATE]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet widgits Pty LTD]:TB
Organizational Unit Name (eg, section) []:TB
Common name (eg, YOUR name) []:localhost #此处一定要写服务器所在ip
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:
3.3 Self-signed certificate
#openssl x509-req-in server/server-req.csr-out server/server-cert.pem-signkey server/server-key.pem-ca ca/ Ca-cert.pem-cakey Ca/ca-key.pem-cacreateserial-days 3650
3.4 Export the certificate to a browser-supported. P12 format
#openssl pkcs12-export-clcerts-in Server/server-cert.pem-inkey server/server-key.pem-out server/server.p12
Password: 123456
Iv. Generating a client certificate
4.1 Creating a private key
#openssl Genrsa-out CLIENT/CLIENT-KEY.PEM 1024
4.2 Creating a Certificate Request
#openssl req-new-out Client/client-req.csr-key Client/client-key.pem
-----
Country Name (2 letter code) [AU]:CN
State or province name (full name) [SOME-STATE]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet widgits Pty LTD]:TB
Organizational Unit Name (eg, section) []:TB
Common name (eg, YOUR name) []:d Ong
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:
4.3 Self-signed certificate
#openssl x509-req-in client/client-req.csr-out client/client-cert.pem-signkey client/client-key.pem-ca ca/ Ca-cert.pem-cakey Ca/ca-key.pem-cacreateserial-days 3650
4.4 Export the certificate to a browser-supported. P12 format
#openssl pkcs12-export-clcerts-in Client/client-cert.pem-inkey client/client-key.pem-out client/client.p12
Password: 123456
4.5 Generating a JKS file based on the CA certificate (Java keystore)
#keytool-keystore truststore.jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file Ca/ca-cert.pem
#keytool-import-keystore truststore.jks-keypass 222222-storepass 222222-alias client-import-trustcacerts-file CLI ENT/CLIENT-CERT.PEM------Import the client certificate and let the server trust the client certificate
#keytool-list-v-keystore Truststore.jks--View keystore, Password: 222222
V. Configuring Tomcat SSL
Modify the Conf/server.xml. Tomcat has more sslenabled= "true" properties. Keystorefile, Truststorefile is set to your correct related path
XML code
Modify the following:
<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "/ROOT/CA/SERVER/SERVER.P12" keystorepass= "123456" keystoretype= "PKCS12"
Truststorefile= "/root/ca/truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>
Property Description:
ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication
Keystorefile: Server certificate file path
Keystorepass: Server certificate Password
Truststorefile: The root certificate used to authenticate the client certificate, in this case the CA certificate
Truststorepass: Root certificate Password
VI. Client Authentication
start the Tomcat service, Client Import CLIENT.P12 Certificate, and then access https://ip:8443
This article is from the "Linux" blog, so be sure to keep this source http://520and519.blog.51cto.com/2254416/1683702
Tomcat bidirectional authentication Server Deployment