Tomcat OpenSSL custom Signing certificate generation and deployment

Source: Internet
Author: User

Reference

Http://www.cnblogs.com/tyjsjl/p/3359255.html


Generate a CA-signed certificate KeyStore

keytool-genkey-alias ca_server-keyalg rsa-keystore ca_server.jks-validity 3600-storepass 123456 What is your first and last name?  [unknown]:   What is your organizational unit name?  [unknown]:  itian What is your organization name?  [unknown]:  itian What is the name of your city or region?  [unknown]:   Beijing What is the name of your state/province?  [unknown]:   Haidian What is the two-letter country code for this unit?  [unknown]:  cn Cn=zhang, Ou=zhang, O=zhang, L=xian, St=shanxi, c=cn correct?  [No]:  y input <zhy_server>Key password (if same as KeyStore password, press ENTER):

Then generate a CER certificate

keytool-export-alias ca_server-file zhy_server.cer-keystore ca_server.jks-storepass 123456

Then deploy

<connector sslenabled= "true"   Acceptcount= " clientauth=" false "    disableuploadtimeout=" true "      enablelookups= "true"      keystorefile= "D:/tomcat/conf/ca/twt_server.jks"      keystorepass= "123456"      maxsparethreads= " "     maxthreads= "     minsparethreads=" 5 "      port= "8848"      protocol= "Org.apache.coyote.http11.Http11NioProtocol"      scheme= "https"      secure= "true"       sslprotocol= "TLS" &NBSP;&NBSP;&NBSP;&NBSP;/> 

Such access, through the corresponding URL, such as ? ? ? ? HTTPS will be able to access it.


for two-way authentication , we also need to generate the client's CER and KeyStore, which are generated the same way as above, but the information is not necessarily the same, assuming we have generated

Ca_client.jks and Ca_client.cer, but CER needs special handling, the command is as follows

Keytool-import-alias ca_client-file Ca_client.cer-keystore Ca_client_for_sever.jks

The configuration changes are as follows

<connector sslenabled= "true"   Acceptcount= " clientauth=" false "    disableuploadtimeout=" true "      enablelookups= "true"      keystorefile= "D:/tomcat/conf/ca/twt_server.jks"      keystorepass= "123456"      maxsparethreads= " "     maxthreads= "     minsparethreads=" 5 "      port= "8848"      protocol= "Org.apache.coyote.http11.Http11NioProtocol"      scheme= "https"      secure= "true"       sslprotocol= "TLS"     clientauth= "true"              truststorefile= "D:/tomcat/conf/ca/ca_client_for_sever.jks"       /> 

Two-way authentication, with Android as an example, Android only recognizes BKS, so it needs to be converted to BKS with the appropriate tools.


Public void setcertificates (inputstream... certificates) {    try     {        certificatefactory certificatefactory  = certificatefactory.getinstance ("        keystore");  keystore = keystore.getinstance (Keystore.getdefaulttype ());         keystore.load (null);         int index =  0;        for  (inputstream certificate :  Certificates)         {             string certificatealias = integer.tostring (index++);             keystore.setcertificateentry (certificateAlias,  Certificatefactory.generatecertifIcate (certificate));            try             {                 if  (certificate != null)                       Certificate.close ();            } catch  (ioexception e)             {             }        }         sslcontext sslcontext = sslcontext.getinstance ( "TLS");         trustmanagerfactory trustmanagerfactory =  trustmanagerfactory. &nbsP;              getinstance ( Trustmanagerfactory.getdefaultalgorithm ());         Trustmanagerfactory.init (keyStore);         //initialization keystore         keystore clientkeystore = keystore.getinstance ( Keystore.getdefaulttype ());         clientkeystore.load ( Mcontext.getassets (). Open ("Ca_client.bks"),  "123456". ToCharArray ());         keymanagerfactory keymanagerfactory = keymanagerfactory.getinstance ( Keymanagerfactory.getdefaultalgorithm ());         Keymanagerfactory.init (clientkeystore,  "123456". ToCharArray ());         sslcontext.init (Keymanagerfactory.getkeymanagers (),  trustmanagerfactory.gettrustmanagers (),   New securerandom ());                httpsurlconnection.setdefaultsslsocketfactory (Sslcontext.getsocketfactory ());                               httpsurlconnection.setdefaulthostnameverifier (new  Hostnameverifier ()  {                  @Override         public boolean verify (String  hostname, sslsession sslsession)  {                if ("localhost". Equals (hostname)) {               return true;           } else {              return false;           }        }   });    } catch  (exception e)     {         e.printstacktrace ();     } }

Read CER certificate

Certificatefactory certificatefactory = certificatefactory.getinstance ("the"); Fileinputstream bais = new fileinputstream ("Srca.cer"); x509certificate cert =  (X509Certificate)  certificatefactory.generatecertificate (Bais); Bais.close (); SYSTEM.OUT.PRINTLN ("version number  "  + cert.getversion ()); SYSTEM.OUT.PRINTLN ("Serial number  "  + cert.getserialnumber (). toString (16)); System.out.println ("Full name  "  + cert.getsubjectdn ()); System.out.println ("Issuer full name n"  + cert.getissuerdn ()); SYSTEM.OUT.PRINTLN ("Valid Starting Date  "  + cert.getnotbefore ()); System.out.println ("Expiry date  "  + cert.getnotafter ()); SYSTEM.OUT.PRINTLN ("Signature Algorithm  "  + cert.getsigalgname ());byte[] sig =  Cert.getsignature (); System.out.println ("Signature:"  + new biginteger (SIG). ToString (16)); Publickey pk = cert.getpublickey (); System.out.println ("PublicKey:" + base64.getencoder (). Encodetostring (Pk.getencoded ())); 

If you read from the KeyStore

String pass= "080302";           String alias= "MyKey";           String name= ". KeyStore";           FileInputStream in=new FileInputStream (name);                      KeyStore ks=keystore.getinstance ("JKS");           Ks.load (In,pass.tochararray ());           Certificate C=ks.getcertificate (alias);          In.close (); System.out.println (C.tostring ());


Tomcat OpenSSL custom Signing certificate generation and deployment

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.