Tomcat OpenSSL custom Signing certificate generation and deployment

Reference

Http://www.cnblogs.com/tyjsjl/p/3359255.html

Generate a CA-signed certificate KeyStore

keytool-genkey-alias ca_server-keyalg rsa-keystore ca_server.jks-validity 3600-storepass 123456 What is your first and last name?  [unknown]:   What is your organizational unit name?  [unknown]:  itian What is your organization name?  [unknown]:  itian What is the name of your city or region?  [unknown]:   Beijing What is the name of your state/province?  [unknown]:   Haidian What is the two-letter country code for this unit?  [unknown]:  cn Cn=zhang, Ou=zhang, O=zhang, L=xian, St=shanxi, c=cn correct?  [No]:  y input <zhy_server>Key password (if same as KeyStore password, press ENTER):

Then generate a CER certificate

keytool-export-alias ca_server-file zhy_server.cer-keystore ca_server.jks-storepass 123456

Then deploy

<connector sslenabled= "true"   Acceptcount= " clientauth=" false "    disableuploadtimeout=" true "      enablelookups= "true"      keystorefile= "D:/tomcat/conf/ca/twt_server.jks"      keystorepass= "123456"      maxsparethreads= " "     maxthreads= "     minsparethreads=" 5 "      port= "8848"      protocol= "Org.apache.coyote.http11.Http11NioProtocol"      scheme= "https"      secure= "true"       sslprotocol= "TLS" &NBSP;&NBSP;&NBSP;&NBSP;/> 

Such access, through the corresponding URL, such as ? ? ? ? HTTPS will be able to access it.

for two-way authentication , we also need to generate the client's CER and KeyStore, which are generated the same way as above, but the information is not necessarily the same, assuming we have generated

Ca_client.jks and Ca_client.cer, but CER needs special handling, the command is as follows

Keytool-import-alias ca_client-file Ca_client.cer-keystore Ca_client_for_sever.jks

The configuration changes are as follows

<connector sslenabled= "true"   Acceptcount= " clientauth=" false "    disableuploadtimeout=" true "      enablelookups= "true"      keystorefile= "D:/tomcat/conf/ca/twt_server.jks"      keystorepass= "123456"      maxsparethreads= " "     maxthreads= "     minsparethreads=" 5 "      port= "8848"      protocol= "Org.apache.coyote.http11.Http11NioProtocol"      scheme= "https"      secure= "true"       sslprotocol= "TLS"     clientauth= "true"              truststorefile= "D:/tomcat/conf/ca/ca_client_for_sever.jks"       /> 

Two-way authentication, with Android as an example, Android only recognizes BKS, so it needs to be converted to BKS with the appropriate tools.

Public void setcertificates (inputstream... certificates) {    try     {        certificatefactory certificatefactory  = certificatefactory.getinstance ("        keystore");  keystore = keystore.getinstance (Keystore.getdefaulttype ());         keystore.load (null);         int index =  0;        for  (inputstream certificate :  Certificates)         {             string certificatealias = integer.tostring (index++);             keystore.setcertificateentry (certificateAlias,  Certificatefactory.generatecertifIcate (certificate));            try             {                 if  (certificate != null)                       Certificate.close ();            } catch  (ioexception e)             {             }        }         sslcontext sslcontext = sslcontext.getinstance ( "TLS");         trustmanagerfactory trustmanagerfactory =  trustmanagerfactory. &nbsP;              getinstance ( Trustmanagerfactory.getdefaultalgorithm ());         Trustmanagerfactory.init (keyStore);         //initialization keystore         keystore clientkeystore = keystore.getinstance ( Keystore.getdefaulttype ());         clientkeystore.load ( Mcontext.getassets (). Open ("Ca_client.bks"),  "123456". ToCharArray ());         keymanagerfactory keymanagerfactory = keymanagerfactory.getinstance ( Keymanagerfactory.getdefaultalgorithm ());         Keymanagerfactory.init (clientkeystore,  "123456". ToCharArray ());         sslcontext.init (Keymanagerfactory.getkeymanagers (),  trustmanagerfactory.gettrustmanagers (),   New securerandom ());                httpsurlconnection.setdefaultsslsocketfactory (Sslcontext.getsocketfactory ());                               httpsurlconnection.setdefaulthostnameverifier (new  Hostnameverifier ()  {                  @Override         public boolean verify (String  hostname, sslsession sslsession)  {                if ("localhost". Equals (hostname)) {               return true;           } else {              return false;           }        }   });    } catch  (exception e)     {         e.printstacktrace ();     } }

Read CER certificate

Certificatefactory certificatefactory = certificatefactory.getinstance ("the"); Fileinputstream bais = new fileinputstream ("Srca.cer"); x509certificate cert =  (X509Certificate)  certificatefactory.generatecertificate (Bais); Bais.close (); SYSTEM.OUT.PRINTLN ("version number  "  + cert.getversion ()); SYSTEM.OUT.PRINTLN ("Serial number  "  + cert.getserialnumber (). toString (16)); System.out.println ("Full name  "  + cert.getsubjectdn ()); System.out.println ("Issuer full name n"  + cert.getissuerdn ()); SYSTEM.OUT.PRINTLN ("Valid Starting Date  "  + cert.getnotbefore ()); System.out.println ("Expiry date  "  + cert.getnotafter ()); SYSTEM.OUT.PRINTLN ("Signature Algorithm  "  + cert.getsigalgname ());byte[] sig =  Cert.getsignature (); System.out.println ("Signature:"  + new biginteger (SIG). ToString (16)); Publickey pk = cert.getpublickey (); System.out.println ("PublicKey:" + base64.getencoder (). Encodetostring (Pk.getencoded ())); 

If you read from the KeyStore

String pass= "080302";           String alias= "MyKey";           String name= ". KeyStore";           FileInputStream in=new FileInputStream (name);                      KeyStore ks=keystore.getinstance ("JKS");           Ks.load (In,pass.tochararray ());           Certificate C=ks.getcertificate (alias);          In.close (); System.out.println (C.tostring ());

Tomcat OpenSSL custom Signing certificate generation and deployment