Tomcat configuration uses SSL two-way authentication (use OpenSSL to generate a Certificate)

From: http://liujy1111.blog.163.com/blog/static/49739712008842372293/

However, when I follow the steps above, the HTTPS service will not start, and the certificate file will always be prompted that it does not exist or the format is invalid. After a long time, I finally got it done. Here I will summarize it.

 

Environment Information:

Software Version installation path

Tomcat APACHE-Tomcat-7.0.11 D:/tomcat/Apache-Tomcat-7.0.11

OpenSSL 0.9.8k 25 Mar 2009 D:/OpenSSL

JDK jdk1.6.0 _ 12 d:/program files/Java/jdk1.6.0 _ 12

 

 

Note:

My OpenSSL uses the toolkit, that is, there are only some EXE files and. manifest files in the directory. We also need to do the following according to the requirements of the subsequent steps.

1. Copy an OpenSSL. CNF configuration file from the openssl-x.x.x/apps directory of the Open SSL full package with source code under D:/OpenSSL

2. Create Four folders ca, jks, server, and client under D:/OpenSSL.

3. In the following steps, red marks the problems I encountered, or different from the original text.

 

 

Start:

I. Generate a CA certificate

 

Currently, the CA of a third-party authority is not used for authentication and serves as the CA.

Download an OpenSSL software online

1. Create a private key:

D:/OpenSSL> OpenSSL genrsa-out Ca/ca-key.pem 1024

2. Create a certificate request:

Note: This step prompts that the OpenSSL file is missing, which is why we need to copy an OpenSSL. CNF file here.

You can also use the-config parameter to specify a complete path or write a simple configuration file yourself. I won't write it. ^_^

D:/OpenSSL> OpenSSL req-New-out Ca/ca-req.csr-key Ca/ca-key.pem-config OpenSSL. CNF

-----

Country name (2 letter code) [au]: CN

State or province name (full name) [some-State]: Zhejiang

Locality name (eg, city) []: Hangzhou

Organization Name (eg, company) [Internet widgits Pty Ltd]: skyvision

Organizational unit name (eg, section) []: Test

Common name (eg, your name) []: Root

Email Address []: sky

3. Self-signed certificate:

D:/OpenSSL> OpenSSL X509-req-in Ca/ca-req.csr-out Ca/ca-cert.pem-signkey Ca/ca-key.pem-days 3650

4. Export the certificate to the. p12 format supported by the browser:

D:/OpenSSL> OpenSSL PKCS12-export-clcerts-in Ca/ca-cert.pem-inkey Ca/ca-key.pem-out Ca/CA. p12

Password: changeit

Ii. Generate the server certificate.

1. Create a private key:

D:/OpenSSL> OpenSSL genrsa-out server/server-key.pem 1024

2. Create a certificate request:

D:/OpenSSL & gt; OpenSSL req-New-out server/server-req.csr-Key Server/server-key.pem-config OpenSSL. CNF

-----

Country name (2 letter code) [au]: CN

State or province name (full name) [some-State]: Zhejiang

Locality name (eg, city) []: Hangzhou

Organization Name (eg, company) [Internet widgits Pty Ltd]: skyvision

Organizational unit name (eg, section) []: Test

Common name (eg, your name) []: localhost

Note: you must write the IP address of the server.

Address // Red here is the local test, so I write localhost

Email Address []: sky

3. Self-signed certificate:

D:/OpenSSL> OpenSSL X509-req-in
Server/server-req.csr-out server/server-cert.pem-signkey
Server/server-key.pem-ca/ca-cert.pem-Cakey Ca/ca-key.pem
-Cacreateserial-days 3650

4. Export the certificate to the. p12 format supported by the browser:

D:/OpenSSL> OpenSSL PKCS12-export
-Clcerts-in server/server-cert.pem-inkey server/server-key.pem-out
Server/server. p12

Password: changeit

3. Generate a client certificate.

1. Create a private key:

D:/OpenSSL> OpenSSL genrsa-out client/client-key.pem 1024

2. Create a certificate request:

D:/OpenSSL & gt; OpenSSL req-New-out client/client-req.csr-Key Client/client-key.pem-config OpenSSL. CNF

-----

Country name (2 letter code) [au]: CN

State or province name (full name) [some-State]: Zhejiang

Locality name (eg, city) []: Hangzhou

Organization Name (eg, company) [Internet widgits Pty Ltd]: skyvision

Organizational unit name (eg, section) []: Test

Common name (eg, your name) []: sky

Email Address []: sky

Note: It is the user in the logon center (the user name should be the common name ).

But Zhongshan public security does not know why the email address is used

, Other versions are not tested)

 

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []: 123456

An optional company name []: Tsing

3. Self-signed certificate:

D:/OpenSSL> OpenSSL X509-req-in
Client/client-req.csr-out client/client-cert.pem-signkey
Client/client-key.pem-ca/ca-cert.pem-Cakey Ca/ca-key.pem
-Cacreateserial-days 3650

4. Export the certificate to the. p12 format supported by the browser:

D:/OpenSSL> OpenSSL PKCS12-export
-Clcerts-in clients/client-cert.pem-inkey client/client-key.pem-out
Client/client. p12

Password: changeit

4. Generate a jks File Based on the CA certificate

 

D:/OpenSSL> keytool
-Keystore C:/OpenSSL/bin/jks/truststore. jks-keypass 222222-storepass
222222-alias ca-import-trustcacerts-File
C: // OpenSSL/bin/CA/ca-cert.pem

5. Configure Tomcat SSL

Modify CONF/server. xml. The original version is the configuration of Version 5.5 and version 6.0. I use version 7.0. The configuration is as follows.

XML Code

<Connector Port = "8443" protocol = "HTTP/1.1" sslenabled = "true"
Maxthreads = "150" Scheme = "HTTPS" secure = "true"
Clientauth = "true" sslprotocol = "TLS"
Keystorefile = "server. p12
"Keystorepass =" changeit "keystoretype =" PKCS12"
Truststorefile = "truststore. jks
"Truststorepass =" 222222 "truststoretype =" jks"
Sslcertificatefile = "../server-cert.pem"
Sslcertificatekeyfile = "../server-key.pem"
/>

The original configuration text in the red part is not mentioned. When I started tomcat, I always prompted that the certificate does not exist or the format is invalid. For a long time =. =!

Later, I found the two configurations in the help document to find the cause.

Four files are used here. Each file is generated in the previous step. All four files are stored in the Tomcat root directory.

The server. p12 and truststore. jks files marked in blue must be placed in the Tomcat root directory.

The red server-cert.pem and server-key.pem are put under the bin folder of Tomcat by default, and I put under the root directory, so the relative path is used here ../.

6. Import Certificates

Import ca. p12 and client. p12 to IE respectively (enable IE>; Internet option> content> certificate ).

CA. p12 import to Trusted Root Certificate Authority, client. p12 import to individual

 

7. Verify that the SSL configuration correctly accesses your application http: // localhost
: 8443/

If the configuration is correct, a dialog box requesting your digital certificate will appear.

 

 

 

 

 

Verification:

 

During my verification, I did not import ca. p12 and client. p12 to access http: // localhost: 8443, but only prompted that the certificate is not secure. It remains unchanged after installation. Didn't I verify the client?