Tomcat configuration HTTPS one-way authentication

1. HTTPS One-way authentication principle

"One-way Authentication", or "browser" verifies that the certificate of the server is legitimate, to determine whether the website being accessed is trustworthy. This is also the most commonly used authentication method on the web today, such as GitHub, Google, Twitter, Facebook, and so on.

The two communication entities for "one-way authentication" are as follows

The communication process between them is as follows

Here is a brief description of the text

1. Client Access server
2. Server responds to client, sends server certificate to client
3. Client queries "Trusted Root Certification Authorities" to verify server certificates
4. Client Verifies server certificate, generates "key pair" and session key, negotiates session key with server
5. Session key negotiation complete to begin secure encrypted communication

2. Prepare the Certificate

The certificate needs to prepare two

1. Server certificate (Tomcat is in JKS format)
2. CA Root Certificate

The server certificate is used by the browser to authenticate the server, and the CA root certificate is just for the browser to trust the server certificate. There are many ways to generate a server certificate, Keytool, OpenSSL, EJBCA can, the specific process reference my other posts, here do not repeat. The server certificate I generated is named "Tomcat-win.jks" and the CA root certificate name is "RUXUECA.CRT".

3. Configure Tomcat

Edit the "Server.xml" in the tomcat/conf directory to find the following, such as comments, please remove the comments

<ConnectorPort= "8443"Protocol= "Org.apache.coyote.http11.Http11Protocol"MaxThreads= "Max"sslenabled= "true"Scheme= "https"Secure= "true"ClientAuth= "false"Sslprotocol= "TLS"Keystorefile= "D:\Download\tomcat-win.jks"Keystorepass= "123456" />

Configure the certificate path and access password to start Tomcat.

3. Browser access

Browser input https://localhost:8443, the following error appears, click "Continue to visit this website (not recommended)"

You can access tomcat normally, but a certificate error message appears

Click "Certificate Error", the following information appears

This is because the certificate was issued by the CA to the "Win.ruxue.online" website, and the domain name we visited was "localhost". Modify the Hosts file in the C:\Windows\System32\drivers\etc directory to add the following line of information.

127.0.0.1 Win.ruxue.online

Enter https://win.ruxue.online:8443 in the browser, still appear "This website security certificate Problem" error prompt, ibid, click "Certificate Error" view, found this error is different.

This is because the CA authority information for the "Tomcat-win.jks" certificate is not issued in the browser "Trusted Root Certification Authorities" and the browser therefore considers the certificate to be problematic, and we need to import the CA root certificate "RUXUECA.CRT" in the browser's "Trusted Root certification authority".

Access https://win.ruxue.online:8443 after successful import

There is no problem, click on the green lock, you can see this site's security certificate information.

Tomcat configuration HTTPS one-way authentication