Reference
Http://www.cnblogs.com/tyjsjl/p/3359255.html
Generate a CA-signed certificate KeyStore
keytool-genkey-alias ca_server-keyalg rsa-keystore ca_server.jks-validity 3600-storepass 123456 What is your first and last name? [unknown]: What is your organizational unit name? [unknown]: itian What is your organization name? [unknown]: itian What is the name of your city or region? [unknown]: Beijing What is the name of your state/province? [unknown]: Haidian What is the two-letter country code for this unit? [unknown]: cn Cn=zhang, Ou=zhang, O=zhang, L=xian, St=shanxi, c=cn correct? [No]: y input <zhy_server>Key password (if same as KeyStore password, press ENTER): |
Then generate a CER certificate
keytool-export-alias ca_server-file zhy_server.cer-keystore ca_server.jks-storepass 123456 |
Then deploy
<connector sslenabled= "true" Acceptcount= " clientauth=" false " disableuploadtimeout=" true " enablelookups= "true" keystorefile= "D:/tomcat/conf/ca/twt_server.jks" keystorepass= "123456" maxsparethreads= " " maxthreads= " minsparethreads=" 5 " port= "8848" protocol= "Org.apache.coyote.http11.Http11NioProtocol" scheme= "https" secure= "true" sslprotocol= "TLS" &NBSP;&NBSP;&NBSP;&NBSP;/>
Such access, through the corresponding URL, such as ? ? ? ? HTTPS will be able to access it.
for two-way authentication , we also need to generate the client's CER and KeyStore, which are generated the same way as above, but the information is not necessarily the same, assuming we have generated
Ca_client.jks and Ca_client.cer, but CER needs special handling, the command is as follows
Keytool-import-alias ca_client-file Ca_client.cer-keystore Ca_client_for_sever.jks |
The configuration changes are as follows
<connector sslenabled= "true" Acceptcount= " clientauth=" false " disableuploadtimeout=" true " enablelookups= "true" keystorefile= "D:/tomcat/conf/ca/twt_server.jks" keystorepass= "123456" maxsparethreads= " " maxthreads= " minsparethreads=" 5 " port= "8848" protocol= "Org.apache.coyote.http11.Http11NioProtocol" scheme= "https" secure= "true" sslprotocol= "TLS" clientauth= "true" truststorefile= "D:/tomcat/conf/ca/ca_client_for_sever.jks" />
Two-way authentication, with Android as an example, Android only recognizes BKS, so it needs to be converted to BKS with the appropriate tools.
Public void setcertificates (inputstream... certificates) { try { certificatefactory certificatefactory = certificatefactory.getinstance (" keystore"); keystore = keystore.getinstance (Keystore.getdefaulttype ()); keystore.load (null); int index = 0; for (inputstream certificate : Certificates) { string certificatealias = integer.tostring (index++); keystore.setcertificateentry (certificateAlias, Certificatefactory.generatecertifIcate (certificate)); try { if (certificate != null) Certificate.close (); } catch (ioexception e) { } } sslcontext sslcontext = sslcontext.getinstance ( "TLS"); trustmanagerfactory trustmanagerfactory = trustmanagerfactory. &nbsP; getinstance ( Trustmanagerfactory.getdefaultalgorithm ()); Trustmanagerfactory.init (keyStore); //initialization keystore keystore clientkeystore = keystore.getinstance ( Keystore.getdefaulttype ()); clientkeystore.load ( Mcontext.getassets (). Open ("Ca_client.bks"), "123456". ToCharArray ()); keymanagerfactory keymanagerfactory = keymanagerfactory.getinstance ( Keymanagerfactory.getdefaultalgorithm ()); Keymanagerfactory.init (clientkeystore, "123456". ToCharArray ()); sslcontext.init (Keymanagerfactory.getkeymanagers (), trustmanagerfactory.gettrustmanagers (), New securerandom ()); httpsurlconnection.setdefaultsslsocketfactory (Sslcontext.getsocketfactory ()); httpsurlconnection.setdefaulthostnameverifier (new Hostnameverifier () { @Override public boolean verify (String hostname, sslsession sslsession) { if ("localhost". Equals (hostname)) { return true; } else { return false; } } }); } catch (exception e) { e.printstacktrace (); } }
Read CER certificate
Certificatefactory certificatefactory = certificatefactory.getinstance ("the"); Fileinputstream bais = new fileinputstream ("Srca.cer"); x509certificate cert = (X509Certificate) certificatefactory.generatecertificate (Bais); Bais.close (); SYSTEM.OUT.PRINTLN ("version number " + cert.getversion ()); SYSTEM.OUT.PRINTLN ("Serial number " + cert.getserialnumber (). toString (16)); System.out.println ("Full name " + cert.getsubjectdn ()); System.out.println ("Issuer full name n" + cert.getissuerdn ()); SYSTEM.OUT.PRINTLN ("Valid Starting Date " + cert.getnotbefore ()); System.out.println ("Expiry date " + cert.getnotafter ()); SYSTEM.OUT.PRINTLN ("Signature Algorithm " + cert.getsigalgname ());byte[] sig = Cert.getsignature (); System.out.println ("Signature:" + new biginteger (SIG). ToString (16)); Publickey pk = cert.getpublickey (); System.out.println ("PublicKey:" + base64.getencoder (). Encodetostring (Pk.getencoded ()));
If you read from the KeyStore
String pass= "080302"; String alias= "MyKey"; String name= ". KeyStore"; FileInputStream in=new FileInputStream (name); KeyStore ks=keystore.getinstance ("JKS"); Ks.load (In,pass.tochararray ()); Certificate C=ks.getcertificate (alias); In.close (); System.out.println (C.tostring ());
Tomcat OpenSSL custom Signing certificate generation and deployment