TONCAT-OPENSSL bidirectional authentication Configuration (IOS)

OpenSSL generates certificates

To build several files and folders under the directory to generate the certificate, there are
./democa/
./democa/newcerts/
./democa/private/
./democa/index.txt (empty file, which writes data records when a certificate is generated)
./democa/serial (the first serial number "01" is written in the serial file, which is incremented when a certificate is generated)

A file with the following suffix in OpenSSL

. Key format: Private key. CSR format: Certificate signing request (certificate request file), containing public key information, certificate signing request abbreviation
. CRT Format: Certificate file, abbreviation for Certificate. CRL Format: Certificate revocation list, Certificate revocation list abbreviation. PEM format: The format of the certificate used for exporting, importing the certificate, having the certificate at the beginning, the end of the format Common Certificate Protocol
Certificate standards for X509V3:IETF
X.500: Standard for catalogs
SCEP: Simple certificate Request protocol, using HTTP to apply, the data has pkcs#7 encapsulation, data in fact format is PKCS#10
PKCS#7: Is the standard for encapsulating data, where certificates and some request information can be placed
PKCS#10: Data format for certificate requests for offline certificate requests, note that packets are encapsulated with PKCS#7 data
PKCS#12: Used to exchange public and private objects in a single file, that is, public keys, private keys and certificates, which are packaged, encrypted in the storage directory, and Cisco in NVRAM, which the user can export in case the Certificate Server hangs up to recover accordingly. Cisco is. P12, Microsoft is. pfx

Steps:
Generate CA Private Key-"Generate CA Certificate request-" self-signed to get root certificate (ca to self issued certificate)
Generate private key-"Generate certificate Request-" To obtain a certificate through CA signature

1. Generate a CA self-signed certificate in X509 format
Req-new-x509-keyout Ca.key-out CA.CRT

Rsa-in ca.key-out ca.key.unsecure//Generate a private key that does not require password protection, is not recommended, can be removed from the password

* Self-signed non-interactive automatic command for a certificate that has generated a CSR request:

2. Generate the private key (key file) and the CSR file on the server
Genrsa-des3-out Server.key 1024

Req-new-key Server.key-out SERVER.CSR

3. Generate the client's private key (key file) and the CSR file
Genrsa-des3-out Client.key 1024
Req-new-key Client.key-out CLIENT.CSR

4. Sign the SERVER.CSR,CLIENT.CSR file you just generated with the certificate of the generated CA
Ca-in server.csr-out Server.crt-cert ca.crt-keyfile Ca.key
Ca-in client.csr-out Client.crt-cert ca.crt-keyfile Ca.key

Note

* When you obtain a CA signature, you need to be aware that the state, province, and organization need to be the same as the CA certificate, or they will report an error

* When the CA signed to obtain the certificate, if the information is exactly the same as the existing certificate information will report an error, that is, the same certificate cannot be generated, the error message is:

Failed to update database
txt_db Error Number 2

That is, the country, province, unit information needs to be the same, server and client other information needs different

* If it appears: unable to access the./democa/newcerts Directory
At this point, you can find the configuration file, typically openssl.cnf, modify the path of the profile entry for you to generate the certificate (permissions issues may occur when you modify the configuration file, use sudo chmod 777 openssl.cn to get Permissions)

[Ca_default]

DIR = Your Path

5. Generate P12 Format certificate (Cisco is. P12, Microsoft is. pfx)
Pkcs12-export-inkey client.key-in client.crt-out client.pfx
Pkcs12-export-inkey server.key-in server.crt-out server.pfx
Description:-in for the certificate file to be converted to the P12 file,-inkey for the certificate private key file with the converted to P12 file,-passin for the private key file password,-out for the P12 file, and-passout to open the password for the P12 file.

JKS is the certificate private key format supported by the Java Keytools Certificate tool.
PFX is the private key format supported by Microsoft.

CA Certificate Generation JKs file

Genrsa-out CA.PEM 1024

Req-new-out ca.csr-key ca.pemx509-req-in ca.csr-out ca.cer-signkey ca.key-cacreateserial-days 3650 exit OpenSSL, then key Tool-import-v-trustcacerts-storepass 123456-alias root-file ca.cer-keystore Ca.jks

6. Generate a PEM format certificate
Sometimes you need a certificate in PEM format, you can merge the certificate file (CRT) and the private key file (key) in the following ways to generate
CLIENT.CRT client.key> Client.pem
SERVER.CRT Server.key > Server.pem

convert 7.PFX files to X509 certificate files and RSA key files
Pkcs12-in Server.pfx-nodes-out Server.pem
Rsa-in Server.pem-out Server2.key
X509-in Server.pem-out SERVER2.CRT

8. Other Related commands
Rsa-noout-text-in Ca.key//view private key

Tomcat Configuration

Open the Tomcat/conf/server.xml file, locate and modify the following code:

 <ConnectorPort= "8443"Protocol= "Org.apache.coyote.http11.Http11Protocol"sslenabled= "true"MaxThreads= "Max"Scheme= "https"schemeecure= "true"Keystoretype= "PKCS12"Keystorefile= "certificate store path/server.pfx"Keystorepass= "Password"Truststoretype= "JKS"Truststorefile= "certificate store path/ca.jks"Truststorepass= "Password"ClientAuth= "true"Sslprotocol= "TLS" />

ClientAuth whether to enable client-side authentication or whether it is a two-way authentication

TONCAT-OPENSSL bidirectional authentication Configuration (IOS)