TOMCAT配置SSL雙向驗證

dengdaiyemanren

步驟:
一、建立自己的CA
1.創(chuàng)建私鑰:
C:\OpenSSL\apps>openssl genrsa -out root/root-key.pem 1024

2.創(chuàng)建證書請求：
C:\OpenSSL\apps>openssl req -new -out root/root-req.csr -key root/root-key.pem -config openssl.cnf
（注意需要有openssl.cnf文件,apache的cnf/目錄下有此文件)

3.生成x509證書,可以自已簽名,用來做根證書;也可用其它證書來簽名,生成根證書可以信任的證書.

openssl x509 -req -in root/root-req.csr -out root/root-cert.pem -signkey root/root-key.pem -days 365

4.根據(jù)root證書生成jks文件
keytool -import -v -trustcacerts -storepass password -alias root -file root/root-cert.pem -keystore root/root.jks

二.建立服務(wù)器端證書
1.創(chuàng)建私鑰:
C:\OpenSSL\apps>openssl genrsa -out server/server-key.pem 1024

2.創(chuàng)建證書請求:
C:\OpenSSL\apps>openssl req -new -out server/server-req.csr -key server/server-key.pem -config openssl.cnf

3.自簽署證書:
C:\OpenSSL\apps>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650

4.將證書導出成瀏覽器支持的.p12格式:
C:\OpenSSL\apps>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12

三.建立客戶端證書
1.創(chuàng)建私鑰:
C:\OpenSSL\apps>openssl genrsa -out client/client-key.pem 1024

2.創(chuàng)建證書請求：
C:\OpenSSL\apps>openssl req -new -out client/client-req.csr -key client/client-key.pem -config openssl.cnf

3.自簽署證書:
C:\OpenSSL\apps>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650

4.將證書導出成瀏覽器支持的.p12格式
C:\OpenSSL\apps>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12  

四.tomcat配置情況:

server.xml

1. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
   
2.                maxThreads="150" scheme="https" secure="true"
   
3.                clientAuth="true"
   
4.                keystoreFile="c:/data/server/server.p12"
   
5.                sslProtocol="TLS"
   
6.                keystoreType="PKCS12"
   
7.                keystorePass="123456"
   
8.                truststoreFile="c:/data/root/root.jks"
   
9.                truststoreType="JKS"
   
10.                truststorePass="password"
    
11.     />

五.獲取客戶端的證書編號
index.jsp

1. <%
   
2.  java.security.cert.X509Certificate[] ca=(java.security.cert.X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
   
3.  if(ca==null)
   
4.  {
   
5.         System.out.println("No cert info!");
   
6.   } else
   
7.  {
   
8.           String serial=ca[0].getSerialNumber().toString();
   
9.           System.out.println(serial);
   
10.           String DN=ca[0].getSubjectDN().toString();
    
11.           System.out.println(DN);
    
12.       }
    
13.  %>

六.效果:
https://127.0.0.1:8443/
則彈出可用的證書供選擇。