Shulou(Shulou.com)06/02 Report--

Summarize the construction of OpenSSL and Tomcat https

The first part: first, take a look at the way OpenSSL is done:

To create a certificate:

(1) generate a private key

(2) generate a certificate to be signed

(3) generate x509 certificate and sign with CA private key

(4) Import the certificate in p12 format supported by the browser

One: generate CA certificate

CA

1. Create a private key:

Openssl genrsa-ges3-out ca-key.pem 2048-sha256

two。 Create a certificate request:

Openssl req-new-out ca-req.csr-key ca-key.pem-sha256

3. Self-signed certificate:

Openssl x509-req-in ca-req.csr-out ca-cert.pem-signkey ca-key.pem-days 1000-sha256

(2-3 can be together:

Openssl req-x509-new-out ca-cert.pem-key ca-key.prm-days 1000-sha256)

4. Export the certificate to a .p12 format supported by the browser:

Openssl pkcs12-export-clcerts-in ca-cert.pem-inkey ca-key.pem-out ca.p12

three。 Generate server certificate

1. Create a private key:

Openssl genrsa-des-out server-key.pem 2048-sha256

two。 Create a certificate request:

Openssl req-new-out server-req.csr-key server-key.pem-sha256

3. Self-signed certificate:

Openssl x509-req-in server-req.csr-out server-cert.pem-signkey server-key.pem-CA ca-cert.pem-CAkey ca-key.pem-CAcreateserial-days 3650

4. Export the certificate to a .p12 format supported by the browser:

Openssl pkcs12-export-clcerts-in server-cert.pem-inkey server-key.pem-out server.p12

four。 Generate client certificate

1. Create a private key:

Openssl genrsa-out client-key.pem 1024-sha256

two。 Create a certificate request:

Openssl req-new-out client-req.csr-key client-key.pem-sha256

3. Self-signed certificate:

Openssl x509-req-in client-req.csr-out client-cert.pem-signkey client-key.pem-CA ca-cert.pem-CAkey ca-key.pem-CAcreateserial-days 3650-sha256

4. Export the certificate to a .p12 format supported by the browser:

Openssl pkcs12-export-clcerts-in client-cert.pem-inkey client-key.pem-out client.p12

five。 Generate jks file (Java keystore) based on ca certificate

Keytool-keystore truststore.jks-keypass 222222-storepass 222222-alias ca- import-trustcacerts-file ca/ca-cert.pem

The second part. Configure tomcat ssl

1. Conf/server.xml .

The SSLEnabled= "true" attribute has been added to tomcat6. Keystorefile and truststorefile are set to your correct related path

Xml code

Configuration of tomcat 5.5:

Configuration of tomcat6.0:

7. Testing (under linux)

Openssl s_client-connect localhost:8443-cert / home/ssl/client-cert.pem-key / home/ssl/client-key.pem-tls1-CAfile / home/ssl/ca-cert.pem-state-showcerts

GET / index.jsp HTTP/1.0

8. Import certificates

The server imports server.P12 and ca.p12 certificates

Client imports ca.p12,client.p12 certificates

In IE (Open IE- >; Internet option-> content-> Certificate)

Ca.p12 is imported to a trusted root certificate authority and client.p12 is imported to an individual

In Firefox (tools-options-Advanced-encryption-View Certificate-your Certificate)

Import both ca.p12 and client.p12 here

Note: the common name (ca=ca,server=localhost,client=dong) of ca,server,client 's certificate must not be duplicated, otherwise ssl will not succeed.

9. Tomcat applications use browser certificate authentication

In server/webapps/manager/WEB-INF/web.xml, change BASIC authentication to certificate authentication

CLIENT-CERT

Tomcat Manager Application

Fill in the following in the conf/tomcat-users.xml

You can verify the success of ssl by visiting http://localhost:8443

Visit http://localhost:8443/manager/html to verify whether the application validates successfully with client certificate

Attachment:

Format for bulk creation of certificates:

#! / bin/bash

# using sample

# sh genClient.sh 20160728_Client001 "CHANGSHA SHINING POWER ELECTRONICS CO.,LTD" DS2015-F0105-00104 james.taoA1@murata.com

/ usr/bin/expect

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.