Tomcat bidirectional authentication Server Deployment

First, prepare the environment

Build platform: linux+apache-tomcat-7.0.35.tar.gz

Ii. Generating CA certificates

To create a directory:

#mkdir CA Client Server

Currently does not use a third-party authoritative CA to authenticate itself as a CA role.

2.1 Creating a private key

#openssl Genrsa-out CA/CA-KEY.PEM 1024

2.2 Creating a certificate Request

#openssl req-new-out Ca/ca-req.csr-key Ca/ca-key.pem

-----

Country Name (2 letter code) [AU]:CN

State or province name (full name) [SOME-STATE]:BJ

Locality Name (eg, city) []:BJ

Organization Name (eg, company) [Internet widgits Pty LTD]:TB

Organizational Unit Name (eg, section) []:TB

Common name (eg, YOUR name) []:CA

Email Address []:[email protected]

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:

2.3 Self-signed certificate

# OpenSSL x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 3650

2.4 Export the certificate to a browser-supported. P12 format

# OpenSSL pkcs12-export-clcerts-in ca/ca-cert.pem-inkey ca/ca-key.pem-out ca/ca.p12

Password: 123456

Iii. Generating the server certificate

3.1 Creating a private key

#openssl Genrsa-out SERVER/SERVER-KEY.PEM 1024

3.2 Creating a certificate Request

#openssl req-new-out Server/server-req.csr-key Server/server-key.pem

-----

Country Name (2 letter code) [AU]:CN

State or province name (full name) [SOME-STATE]:BJ

Locality Name (eg, city) []:BJ

Organization Name (eg, company) [Internet widgits Pty LTD]:TB

Organizational Unit Name (eg, section) []:TB

Common name (eg, YOUR name) []:localhost #此处一定要写服务器所在ip

Email Address []:[email protected]

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:

3.3 Self-signed certificate

#openssl x509-req-in server/server-req.csr-out server/server-cert.pem-signkey server/server-key.pem-ca ca/ Ca-cert.pem-cakey Ca/ca-key.pem-cacreateserial-days 3650

3.4 Export the certificate to a browser-supported. P12 format

#openssl pkcs12-export-clcerts-in Server/server-cert.pem-inkey server/server-key.pem-out server/server.p12

Password: 123456

Iv. Generating a client certificate

4.1 Creating a private key

#openssl Genrsa-out CLIENT/CLIENT-KEY.PEM 1024

4.2 Creating a Certificate Request

#openssl req-new-out Client/client-req.csr-key Client/client-key.pem

-----

Country Name (2 letter code) [AU]:CN

State or province name (full name) [SOME-STATE]:BJ

Locality Name (eg, city) []:BJ

Organization Name (eg, company) [Internet widgits Pty LTD]:TB

Organizational Unit Name (eg, section) []:TB

Common name (eg, YOUR name) []:d Ong

Email Address []:[email protected]  

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:  

4.3 Self-signed certificate

#openssl x509-req-in client/client-req.csr-out client/client-cert.pem-signkey client/client-key.pem-ca ca/ Ca-cert.pem-cakey Ca/ca-key.pem-cacreateserial-days 3650

4.4 Export the certificate to a browser-supported. P12 format

#openssl pkcs12-export-clcerts-in Client/client-cert.pem-inkey client/client-key.pem-out client/client.p12

Password: 123456

4.5 Generating a JKS file based on the CA certificate (Java keystore)

#keytool-keystore truststore.jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file Ca/ca-cert.pem

#keytool-import-keystore truststore.jks-keypass 222222-storepass 222222-alias client-import-trustcacerts-file CLI ENT/CLIENT-CERT.PEM------Import the client certificate and let the server trust the client certificate

#keytool-list-v-keystore Truststore.jks--View keystore, Password: 222222

V. Configuring Tomcat SSL

Modify the Conf/server.xml. Tomcat has more sslenabled= "true" properties. Keystorefile, Truststorefile is set to your correct related path

XML code

Modify the following:

<connector port= "8443" protocol= "http/1.1" sslenabled= "true"

maxthreads= "Scheme=" "https" secure= "true"

Clientauth= "true" sslprotocol= "TLS"

Keystorefile= "/ROOT/CA/SERVER/SERVER.P12" keystorepass= "123456" keystoretype= "PKCS12"

Truststorefile= "/root/ca/truststore.jks" truststorepass= "222222" truststoretype= "JKs"/>

Property Description:

ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication

Keystorefile: Server certificate file path

Keystorepass: Server certificate Password

Truststorefile: The root certificate used to authenticate the client certificate, in this case the CA certificate

Truststorepass: Root certificate Password

VI. Client Authentication

start the Tomcat service, Client Import CLIENT.P12 Certificate, and then access https://ip:8443

This article is from the "Linux" blog, so be sure to keep this source http://520and519.blog.51cto.com/2254416/1683702

Tomcat bidirectional authentication Server Deployment