Use the Tomcat server to configure HTTPS two-way authentication

Make sure that JDK has been installed, environment variables, and configuration are complete.

Step 1: generate a certificate for the server:

Use toolkey to generate a certificate for Tomcat. If the domain name of the target machine is localhost, run the following command to generate the certificate: Keytool-genkey-v-aliaslocalhost_server RSA-keystore localhost_server.store-validity 36500

Step 2: generate a certificate for the client:

Generate a certificate for the browser so that the server can verify it. To ensure the certificate can be smoothly imported to IE and Firefox, the certificate format should be PKCS12. Therefore, use the following command to generate the certificate: Keytool-genkey-v-aliaslocalhost_client-keyalg RSA-storetype PKCS12-keystore localhost_client.p12. The localhost_client.p12 file is generated. You only need to double-click the localhost_client.p12 file to import the certificate to the browser (client ).

Step 3: Let the server trust the client certificate:

Because it is a two-way SSL authentication, the server must trust the client certificate, so you must add the client certificate as the server's trust certificate. Because the PKCS12 format certificate cannot be imported directly, you must first export the client certificate as a separate CER file and use the following command:Keytool-export-aliaslocalhost_client-keystore localhost_client.p12-storetype-storepass 123456-RFC-file localhost_trust.cer. Next, import the file to the server's certificate library and add a trust certificate. Run the following command:Keytool-import-v-filelocalhost_trust.cer-keystore localhost_server.store

Run the LIST command to view the server certificate library. You can see two certificates: one is the server certificate and the other is the trusted client certificate.

Step 4: Let the client trust the server certificate:

Because it is a two-way SSL authentication, the client also needs to verify the server certificate, therefore, you must add the server certificate to the "Trusted Root Certificate Authority" of the browser ". Because the certificate library in keystore format cannot be imported directly, you must first export the server certificate as a separate CER file and use the following command: Keytool-keystorelocalhost_server.store-export-alias localhost_server-file localhost_trust.cer. In this case, the locahost_server.cer file is generated. You only need to double-click the localhost_server.cer file, install the certificate as prompted, and enter the Certificate in "Trusted Root Certificate Authority ".

Step 5: configure the Tomcat server

Open/CONF/server. XML in the Tomcat root directory, find connector Port = "8443", and modify it to the following:

<Connectorport="8443"protocol="org.apache.coyote.http11.Http11NioProtocol"SSLEnabled="true"maxThreads="150" scheme="https"secure="true"clientAuth="true" sslProtocol="TLS"keystoreFile="conf/localhost_server.keystore " keystorePass="123456"truststoreFile="conf/localhost_server.keystore " truststorePass="123456" />

Or

<Connectorport="8443" protocol="HTTP/1.1" SSLEnabled="true"               maxThreads="150"scheme="https" secure="true"               clientAuth="false"sslProtocol="TLS"               keystoreFile="conf/localhost_server.keystore"keystorePass="123456"               truststoreFile="conf/localhost_server.keystore"truststorePass="123456"/>

(Tomcat must be the same as the generated server certificate name)

Attribute description:

Clientauth: sets whether to perform bidirectional verification. The default value is false. setting this parameter to true indicates bidirectional verification.

Keystorefile: Path of the server certificate file

Keystorepass: server certificate Password

Truststorefile: used to verify the root certificate of the client certificate. In this example, it is the server certificate.

Truststorepass: Root Certificate Password

Step 6: test:

Enter: https: // localhost: 8443/in the browser. The select client certificate page is displayed. Click "OK" to go To the Tomcat homepage. the "Lock" icon is displayed in the address bar, this indicates that the session has passed HTTPS two-way authentication, and the information transmitted in the next session has been encrypted by SSL.

Finally, let's take a look at it to avoid the following problems: