• SSL安装 tomcat jks AVR


    使用版本JDK1.7,tomcat 7.0.39,openssl安装版0.9.8

    使用操作系统 win7

    命令行:

    1.生成CA私钥以及自签名根证书

    ①生成CA私钥

    openssl genrsa -out F:\CA\ca-key.pem 1024

    ②生成待签名根证书

    openssl req -new -x509 -keyout F:\CA\ca-key.pem -out F:\CA\ca-req.csr -config openssl.cnf

    ③用CA私钥对根证书进行自签名

    openssl x509 -req -in F:\CA\ca-req.csr -out F:\CA\ca-cert.pem -signkey F:\CA\ca-key.pem -days 365

    2.生成server端证书

    ①生成KeyPair,最好keyPass与storePass一样,方便

    keytool -genkey -alias ying -validity 365 -keyalg RSA -keysize 1024 -keypass yingevil -storepass yingevil -dname "cn=localhost,ou=department,o=company,l=Beijing,st=Beijing,c=CN" -keystore F:\CA\ying.jks

    ②生成待签名证书

    keytool -certreq -alias ying -sigalg MD5withRSA -file F:\CA\ying.csr -keypass yingevil -keystore F:\CA\ying.jks -storepass yingevil

    ③用CA私钥进行签名

    openssl x509 -req -in F:\CA\ying.csr -out F:\CA\ying-cert.pem -CA F:\CA\ca-cert.pem -CAkey F:\CA\ca-key.pem -days 365 -set_serial 1

    3.导入信任的CA根证书到JAVA的默认位置%JAVA_HOME%\jre\lib\security\cacerts

    keytool -import -v -trustcacerts -storepass changeit -alias root_ying -file F:\CA\ca-cert.pem -keystore %JAVA_HOME%\jre\lib\security\cacerts

    4.把CA签名后的server端证书导入keystore

    keytool -import -v -trustcacerts -storepass yingevil -alias ying -file F:\CA\ying-cert.pem -keystore F:\CA\ying.jks

    5.查看server端的keystore,查看JDK

    keytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

    6.Tomcat服务器端,在conf/server.xml中加入下面一段配置

    <Connector port="443"
    protocol="HTTP/1.1" SSLEnabled="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    SSLCertificateFile="F:\server\apache-tomcat-7.0.39\conf\ca-cert.cer"
    SSLCertificateKeyFile="F:\server\apache-tomcat-7.0.39\conf\ca-key.pem"
    keystoreFile="F:\server\apache-tomcat-7.0.39\conf\ying.jks"
    keystorePass="yingevil"/>

    最后将ying.jks,ca-cert.cer(原身是ca-cert.pem,.pem文件是ASCII编码的,直接改文件格式为.cer就可以),ca-key.pem三个文件拷贝到服务器conf下即可。

    将java keystore file转化为p12格式: 
    keytool -importkeystore -srckeystore ying.jks -destkeystore ying.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass yingevil -deststorepass yingevil -srcalias ying -destalias ying -srckeypass yingevil -destkeypass yingevil -noprompt

    7.服务端网络程序中的web.xml也要配置一下(加入下面一段即可),这样可以自动将http协议强制转换成https协议访问

    <login-config>
    <!-- Authorization setting for SSL -->
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Client Cert Users-only Area</realm-name>
    </login-config>

    <security-constraint>
    <!-- Authorization setting for SSL -->
    <web-resource-collection >
    <web-resource-name >SSL</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

    可查阅官方文档http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

     新建openssl.conf可参考:http://www.openssl.org/docs/apps/req.html#EXAMPLES

    参考文章

    http://zhumeng8337797.blog.163.com/blog/static/100768914201241645258903/

    http://yushan.iteye.com/blog/434955

    http://www.albertsong.com/read-99.html

  • 相关阅读:
    上机练习
    myeclipse 快捷键
    关于java classpath问题
    windows installer 出错问题解决
    hibernate 问题
    axis2 部署webservice
    webservice开发
    关于web前端开发
    软件工程工具
    计网笔记
  • 原文地址:https://www.cnblogs.com/diyingyun/p/3036681.html
Copyright © 2020-2023  润新知