Tomcat to configure HTTPS to generate security certificates

Source: Internet
Author: User
Tags dname pkcs12 rfc

Configuring SSL bidirectional authentication in Tomcat 6 is fairly easy, and this article describes how to use the Keytool of the JDK to configure two-way SSL authentication for Tomcat. and realize the requirement of batch generating certificate system: JDK 5.0
Tomcat 6.0.16
To start the command line:
First step: Generate a certificate for the serveruse Keytool to generate a certificate for Tomcat, assuming that the domain name of the target machine is localhost or "192.168.1.1", keystore file is stored in "D:/downloads/tomcat.keystore" and the password is " LOGISCN, use the following command to generate: keytool-genkey-v-alias tomcat-keyalg rsa-keystore d:/downloads/tomcat.keystore-dname "CN=192.168.1.1,OU= LOGISCN,O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass logiscn-keypass logiscn
if the domain name of the server where Tomcat is not "localhost", it should be changed to the corresponding domain name, such as [Url]www.baidu.com[/url] or IP address, otherwise the browser will pop up a warning window, prompting the user certificate does not match the domain.
Step two: Generate a certificate for the client The next step is to generate a certificate for the browser so that the server can verify it. Assuming the file is stored in D:/DOWNLOADS/P12/TIANLI.P12, in order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:keytool-genkey-v-alias tianli-keyalg rsa-storetype pkcs12-keystore d:/downloads/p12/tianli.p12-dname "CN=tianli , OU=LOGISCN,O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass tianli-keypass Tianli"-validity is the expiration date, the current setting is 10, Keypass is used to import the browser password, if the password is incorrect, it will not be imported into the browser correctly.
The corresponding certificate inventory is placed in "D:/DOWNLOADS/P12/TIANLI.P12", and the client's CN can be any value. Step Three: Have the server trust the client certificate

because it is a two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trust authentication. Since the PKCS12 format certificate library cannot be imported directly, we must first export the client certificate as a separate CER file, using the following command:keytool-export-alias tianli-keystore d:/downloads/p12/tianli.p12-storetype pkcs12-storepass tianli-rfc-file D: /downloads/cert/tianli.cer 
with the above command, the client certificate is exported to the "D:/downloads/cert/tianli.cer r" file. The next step is to import the file into the certificate Library of the server and add it as a Trust certificate: keytool-import-alias tianli-v-file d:/downloads/cert/tianli.cer-keystore D:/downloads/tomcat.keystore- Storepass LOGISCN <myint.infbecause in the import process need to enter Y or N here directly using a file Myint.inf instead of input, Myint.inf is a text file, inside the content only Y and a carriage return
using the List command to view the server's certificate library, we can see two inputs, one server certificate and one trusted client certificate:
Fourth Step: Configure the Tomcat server

Open the/conf/server.xml under the Tomcat root directory and locate the following configuration section, as follows:
Open Comments
<connector port= "443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "scheme=" "https" secure= "true"
clientauth= "true" sslprotocol= "TLS "
keystorefile= "D:/downloads/tomcat.keystore" keystorepass= "Logiscn "
truststorefile= "D:/downloads/tomcat.keystore" truststorepass= "Logiscn "
/>

where ClientAuth Specifies whether the client certificate needs to be validated and if it is set to "false", then one-way SSL authentication, which ends with SSL configuration. If ClientAuth is set to "true" to indicate mandatory two-way SSL authentication, the client certificate must be validated. If ClientAuth is set to "want", it means that the client certificate can be validated, but if the client does not have a valid certificate, it does not force validation. Fifth Step: Import the client certificate

if Clientauth= "true" is set, the client certificate needs to be forced to be validated. Double-click "D:/DOWNLOADS/P12/TIANLI.P12" to import the certificate into IE: After importing the certificate, you can start Tomcat and access it with IE. Enter [Url]https://ipadress/[/url], the default access port for the HTTPS protocol is 443. Most of the above are written for reference on-line information. in order to achieve a certificate for each person, if you can repeat the above operation also achieve the purpose, considering the need for a lot of testing, and deployed on different machines, think of the method of using the program to automatically generate commands. The program that generates the command is written in Java, and the build command needs to be set up in advance with the following:1. Basedir the location of the generated command file, the generated command runs after the generated CER and p12 format files, in order to differentiate the storage, need to establish two folders, so need with a basic directory,2. The generated KeyStore file requires a password, and for security reasons, the KeyStore of the different domain names requires a different password. 3. Domain address, a warning is issued on integers if the domain address is incorrect. Therefore, for different domains, the addresses are different. Once you have completed the above three settings, you can generate commands. The resulting file consists of 3, all stored under Basedir. 1. Myint.inf file, just for the input content is simple including Y and a carriage return2. conf file, which contains the generated configuration file fragments and a simple instructions for use, the content is as follows<connector port= "443" protocol= "http/1.1" sslenabled= "true"maxthreads= "scheme=" "https" secure= "true"clientauth= "true" sslprotocol= "TLS "keystorefile= "D:/downloads/tomcat.keystore"keystorepass= "LOGISCN"truststorefile= "D:/downloads/tomcat.keystore"truststorepass= "Logiscn"/>copy directly to the appropriate server.xml when used3. Executable command file Command.bat, before executing the above command, you need to create two folders, in order to store the generated files in the appropriate location, part of the code is as follows mkdir certmkdir P12keytool-genkey-v-alias tomcat-keyalg rsa-keystore d:/downloads/tomcat.keystore-dname "CN=LOCALHOST,OU=LOGISCN, O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass logiscn-keypass logiscnREM generates certificates for Tianlirem Step two: Generate certificates for clientskeytool-genkey-v-alias tianli-keyalg rsa-storetype pkcs12-keystore d:/downloads/p12/tianli.p12-dname "CN=tianl I,OU=LOGISCN,O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass tianli-keypass Tianli"REM Step three: Let the server trust the client certificatekeytool-export-alias tianli-keystore d:/downloads/p12/tianli.p12-storetype pkcs12-storepass tianli-rfc-file D :/downloads/cert/tianli.cer "keytool-import-alias tianli-v-file d:/downloads/cert/tianli.cer-keystore D:/downloads/tomcat.keystore- Storepass LOGISCN <myint.infthe implementation of the Java program is shown in the attachment, so double-clicking the execution program can generate a batch certificate. Very convenient.     
This article is based on the attribution 2.5 China mainland license Agreement published, welcome reprint, deduction or for commercial purposes, but must and in the article page obvious location give the original link Dana, Li (including link), the specific operation method can refer here. If you have any questions or authorization to negotiate, please leave a message or add Q Group!

Tomcat to configure HTTPS to generate security certificates

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.