Tomcat builds HTTPS bidirectional authentication

First step: Generate a certificate for the server

# keytool-genkey-alias tomcat-keyalg rsa-keystore/usr/local/ac/web/tomcat.keystore-validity 36500

(Parameter brief description: "/etc/tomcat.keystore" means to save the certificate file under Path/usr/local/ac/web/, the certificate file name is Tomcat.keystore; "-validity 36500" means the certificate validity period , 36500 means 100 years, default is 90 days)

Step two: Generate a certificate for the client

generate a certificate for your browser so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:

keytool-genkey-v-alias mykey-keyalg rsa-storetype pkcs12-keystore / Home / MYKEY.P12

Double-click the Mykey.p12 file to import the certificate into the browser (client).

Step three: Have the server trust the client certificate

because it is bidirectional SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trust authentication. Because you cannot directly import a certificate library in the PKCS12 format, you must first export the client certificate as a separate CER file, using the following command:

Keytool-export-alias Mykey-keystore/Home/mykey.p12-storetype pkcs12-storepass password-rfc-file/Home/Mykey.cer

Import the file to the server's certificate store and add it as a trust certificate:

keytool-import-v-file /Home/Mykey.cer-keystore/Home/Tomcat.keystore

To view the server's certificate library through the list command

Keytool-list-keystore Tomcat.keystore

Fourth step: Let the client trust the server certificate

because it is bidirectional SSL authentication, the client also verifies the server certificate, so the server certificate must be added to the Browse Trusted root certification authorities. Because you cannot directly import a certificate library in the KeyStore format, you must first export the server certificate as a separate CER file, using the following command:

Keytool-keystore Tomcat.keystore-export-alias Tomcat-file Tomcat.cer

Double-click the Tomcat.cer file, follow the prompts to install the certificate, and fill in the certificate to Trusted root certification authorities.

Section Five Step: Configure the tomcat server

Open /conf/server.xml in the Tomcat root directory, locate the following configuration section, which is modified as follows:

<connector port= "8443" protocol= "Org.apache.coyote.http11.Http11NioProtocol "
sslenabled= "true" maxthreads= "scheme= " "https"
secure= "true" Clientauth= "true" sslprotocol= "TLS "
keystorefile= "Test.keystore" keystorepass= "123456 "
truststorefile= "Test.keystore" truststorepass= "123456"/>

Property Description:

·  ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication

·  keystorefile: Server certificate file path

·  keystorepass: Server certificate Password

·  truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate

·  truststorepass: Root certificate Password

Section Six Step: Test

in the browser, enter :

https://localhost:8443/, will pop up to select the client certificate interface, click "OK", will enter the Tomcat homepage, the address bar will have a "lock" icon, indicating that the session has been authenticated through HTTPS two-way, The information transmitted during the next session is encrypted with SSL information.

Operation Command:

# Keytool-genkey-alias Tomcat-keyalg rsa-keystore/root/zhengshu/tomcat.keystore-validity 36500

# Keytool-genkey-alias Tomcat-keyalg rsa-keystore/root/zhengshu/tomcat.keystore-validity 36500

# keytool-genkey-v-alias mykey-keyalg rsa-storetype pkcs12-keystore/root/zhengshu/mykey.p12-validity 36500

# Keytool-export-alias Mykey-keystore/root/zhengshu/mykey.p12-storetype Pkcs12-storepass password-rfc-file/root/ Zhengshu/mykey.cer

# keytool-import-v-file/root/zhengshu/mykey.cer-keystore/root/zhengshu/tomcat.keystore

# Keytool-list-keystore Tomcat.keystore

# Keytool-keystore Tomcat.keystore-export-alias tomcat-file tomcat.cer

Tomcat builds HTTPS bidirectional authentication