Tomcat configuration uses SSL two-way authentication (using OpenSSL to generate certificates)

Original from: http://liujy1111.blog.163.com/blog/static/49739712008842372293/

However, I follow the steps above, the HTTPS service does not start, always prompts the certificate file does not exist or the format is illegal. It's been a long time, finally, here's a summary.

Environmental information:

Software Version Installation path

Tomcat apache-tomcat-7.0.11 d:/tomcat/apache-tomcat-7.0.11

OpenSSL OpenSSL 0.9.8k 2009 D:/openssl

JDK Jdk1.6.0_12 D:/program Files/java/jdk1.6.0_12

Description

My OpenSSL is using a toolkit, which is only a few EXE files and. manifest files in the directory. We also need to do the following, as required by the latter steps.

1. Copy a openssl.cnf configuration file from the Openssl-x.x.x/apps directory of the OpenSSL full package with source code under D:/OPENSSL

2. Create CA, JKS, server, client four folders under D:/openssl.

3, the following steps in red logo is the problem I have encountered, or with the original text is not the same place.

Begin:

One: Generate CA Certificate

Currently does not use the Third-party authority of the CA to authenticate themselves as the role of the CA.

Download a OpenSSL software online

1. Create private key:

D:/openssl>openssl Genrsa-out CA/CA-KEY.PEM 1024

2. Create a certificate request:

Note: This step I performed was prompted by the lack of OpenSSL files, which is why we need to copy a openssl.cnf file here.

Of course, you can also use the-config parameter to specify a different full path or write a simple configuration file yourself. I'm not going to write ^_^.

D:/openssl>openssl req-new-out Ca/ca-req.csr-key ca/ca-key.pem-config openssl.cnf

-----

Country Name (2 letter code) [AU]:CN

State or province Name (full name) [Some-state]:zhejiang

Locality Name (eg, city) []:hangzhou

Organization Name (eg, company) [Internet widgits Pty ltd]:skyvision

Organizational unit Name (eg, section) []:test

Common name (eg, YOUR name) []:root

Email Address []:sky

3. Self-Signed certificate:

D:/openssl>openssl x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 3650

4. Export the certificate to a browser-supported. P12 Format:

D:/openssl>openssl pkcs12-export-clcerts-in Ca/ca-cert.pem-inkey ca/ca-key.pem-out ca/ca.p12

Password: Changeit

Two. Generate the server certificate.

1. Create private key:

D:/openssl>openssl Genrsa-out SERVER/SERVER-KEY.PEM 1024

2. Create a certificate request:

D:/openssl>openssl req-new-out Server/server-req.csr-key server/server-key.pem-config openssl.cnf

-----

Country Name (2 letter code) [AU]:CN

State or province Name (full name) [Some-state]:zhejiang

Locality Name (eg, city) []:hangzhou

Organization Name (eg, company) [Internet widgits Pty ltd]:skyvision

Organizational unit Name (eg, section) []:test

Common name (eg, YOUR name) []:localhost Note: Be sure to write the IP address of the server//red here is the native test, so I write localhost

Email Address []:sky

3. Self-Signed certificate:

D:/openssl>openssl x509-req-in server/server-req.csr-out Server/server-cert.pem-signkey Server/server-key.pem- CA Ca/ca-cert.pem-cakey ca/ca-key.pem-cacreateserial-days 3650

4. Export the certificate to a browser-supported. P12 Format:

D:/openssl>openssl pkcs12-export-clcerts-in Server/server-cert.pem-inkey server/server-key.pem-out server/ Server.p12

Password: Changeit

Three. Generate client certificates.

1. Create private key:

D:/openssl>openssl Genrsa-out CLIENT/CLIENT-KEY.PEM 1024

2. Create a certificate request:

D:/openssl>openssl req-new-out Client/client-req.csr-key client/client-key.pem-config openssl.cnf

-----

Country Name (2 letter code) [AU]:CN

State or province Name (full name) [Some-state]:zhejiang

Locality Name (eg, city) []:hangzhou

Organization Name (eg, company) [Internet widgits Pty ltd]:skyvision

Organizational unit Name (eg, section) []:test

Common name (eg, YOUR name) []:sky

email address []:sky Note: is to login to the center of the user (the original user name should be common name, but the Zhongshan police do not know why the use of email address, the other version did not test)

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:123456

An optional company name []:tsing

3. Self-Signed certificate:

D:/openssl>openssl x509-req-in client/client-req.csr-out Client/client-cert.pem-signkey Client/client-key.pem- CA Ca/ca-cert.pem-cakey ca/ca-key.pem-cacreateserial-days 3650

4. Export the certificate to a browser-supported. P12 Format:

D:/openssl>openssl pkcs12-export-clcerts-in Client/client-cert.pem-inkey client/client-key.pem-out client/ Client.p12

Password: Changeit

Four. Generate JKs files based on CA certificate

d:/openssl> keytool-keystore c:/openssl/bin/jks/truststore.jks-keypass 222222-storepass 222222-alias ca-import-t Rustcacerts-file C:/openssl/bin/ca/ca-cert.pem

Five. Configure Tomcat SSL

Modify Conf/server.xml. The original is the 5.5 and 6.0 version of the configuration, I use 7.0, configured as follows.

XML code

    <connector port= "8443" protocol= "http/1.1" sslenabled= "true"
                maxthreads= "scheme=" "https" secure= "true"
               clientauth= "true" Sslprotocol= "TLS"
               Keystorefile= "SERVER.P12" keystorepass= "Changeit" keystoretype= "PKCS12"
                truststorefile= "Truststore.jks" truststorepass= "222222" Truststoretype= "JKS"
               Sslcertificatefile= ". /server-cert.pem "
               Sslcertificatekeyfile= ". /server-key.pem "/>

The original configuration of the Red section does not mention that I always hint that the certificate does not exist or is in an illegal format when I start Tomcat, for a long time =.=!

You later see the two configurations in the Help document to find out why.

Four files are used here, and each file is generated in the previous step. All four files are placed in the root directory of Tomcat.

The blue-labeled SERVER.P12 and Truststore.jks two files need to be placed under Tomcat's root directory.

The red Server-cert.pem and Server-key.pem are placed in the Tomcat Bin folder by default, and I put them in the root directory, so I use a relative path here. /。

Six. Import Certificate

Import ca.p12,client.p12 into IE (open ie->;internet option-> content-> certificate).

CA.P12 Import to a trusted root certification authority, CLIENT.P12 import to a personal

Seven. Verify that the SSL configuration correctly accesses your application http://localhost:8443/, and if configured correctly, a dialog box will appear requesting your digital certificate.

Verify:

When I verify, I do not import CA.P12 and CLIENT.P12 can also access the http://localhost:8443, just prompted the certificate is not secure. The installation has not changed since. The client is not validated.