• linux下Tomcat+OpenSSL配置单向&双向认证(自制证书)


    背景

    由于ios将在2017年1月1日起强制实施ATS安全策略,所有通讯必须使用https传输,本文只针对自制证书,但目前尚不确定自制证书是否能通过appstore审核。

    1、必须支持传输层安全(TLS)协议1.2以上版本
    2、证书必须使用SHA256或更高的哈希算法签名
    3、必须使用2048位以上RSA密钥或256位以上ECC算法等等
    4、证书必须是V3版本
    以上是几个注意点。主要针对ios的ATS策略


    环境

    linux: CentOS6.8
    tomcat: Apache Tomcat/7.0.63
    OpenSSL: OpenSSL 1.1.0c

    OpenSSL升级(如果需要)

    我使用的是阿里云服务器,linux自带OpenSSL,只需要做一次升级,关于全新安装请自行搜索。

    1.查看版本
    openssl version -a
    2.更新zlib
    yum install -y zlib
    3.下载(注意cd到自己需要的路径下)
    wget https://www.openssl.org/source/openssl-1.1.0c.tar.gz
    4.解压安装
    tar zxf openssl-1.1.0c.tar.gz
    cd openssl-1.1.0c
    ./config --prefix=/usr/local/openssl
    make
    make install
    //重命名原来的openssl
    mv /usr/bin/openssl /usr/bin/openssl.ori
    mv /usr/include/openssl /usr/include/openssl.ori

    执行上面一个命令的时候可能会报错,如下,我暂时没管他好像也没影响。后来又发现把下面的步骤执行完后,再执行
    mv /usr/include/openssl /usr/include/openssl.ori

    是可以成功的,但是是不是必须把下面执行完后再执行一次上面语句没有验证过(再执行一次对后面生成证书没影响)

    [root@localhost openssl-1.1.0c]# mv /usr/include/openssl /usr/include/openssl.ori
    mv: 无法获取"/usr/include/openssl" 的文件状态(stat): 没有那个文件或目录



    //将安装好的openssl命令软连到对应位置 ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl //在/etc/ld.so.conf文件中写入openssl库文件的搜索路径 echo /usr/local/openssl/lib >> /etc/ld.so.conf ldconfig -v openssl version -a






    由于chrome必须要添加subjectAltName才能导入证书生效,不然会报错ERR_CERT_COMMON_NAME_INVALID
    所以必须进入/usr/local/openssl/ssl/openssl.cnf

    把req_extensions这个注释放开
    req_extensions = v3_req # The extensions to add to a certificate request

    然后添加如下内容

    [ v3_req ]

    # Extensions to add to a certificate request

    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names

    [alt_names]
    DNS.1 = kb.example.com
    DNS.2 = helpdesk.example.org
    DNS.3 = systems.example.net
    IP.1 = 192.168.0.100
    IP.2 = 192.168.0.168
    IP.3 = 192.168.0.169
    IP.4 = 192.168.0.106





    创建证书目录

    //进入tmp目录
    cd /tmp
    //创建ca目录,存放证书相关文件
    mkdir ca
    //进入ca
    cd ca
    

    制作根证书

    1. 创建根证书密钥文件(自己做CA) root.key
    openssl genrsa -des3 -out root.key 2048
    
    输出内容为:
    Generating RSA private key, 2048 bit long modulus
    .....................................................................................................................+++
    ..........................+++
    e is 65537 (0x010001)
    Enter pass phrase for root.key: ← 输入一个新密码 
    Verifying – Enter pass phrase for root.key: ← 重新输入一遍密码
    
    2. 创建根证书的申请文件 root.csr
    openssl req -new -key root.key -out root.csr
    
    输出内容为:
    Enter pass phrase for root.key: ← 输入前面创建的密码 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter ‘.’, the field will be left blank. 
    —– 
    Country Name (2 letter code) [AU]:US ← 国家代号,美国输入US 
    State or Province Name (full name) [Some-State]:Houston ← 省的全名,拼音 
    Locality Name (eg, city) []:Houston ← 市的全名,拼音 
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: hp ← 公司英文名 
    Organizational Unit Name (eg, section) []: hp← 可以不输入 我输入的公司名称
    Common Name (eg, YOUR name) []: ← 此时不输入,和后面的需要输入ip或者域名不一样,这里不能输入,输入了好像证书有问题 
    Email Address []:admin@hp.com ← 电子邮箱,可随意填
    
    Please enter the following ‘extra’ attributes 
    to be sent with your certificate request 
    A challenge password []: ← 可以不输入 
    An optional company name []: ← 可以不输入
    
    3. 创建一个自当前日期起为期十年的根证书 root.crt
    openssl x509 -req -days 3650 -sha256 -extfile /usr/local/openssl/ssl/openssl.cnf -extensions v3_ca -signkey root.key -in root.csr -out root.crt
    
    输出内容为:
    Signature ok 
    subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./emailAddress=admin@mycompany.com
    Getting Private key 
    Enter pass phrase for root.key: ← 输入前面创建的密码
    
    4.根据CA证书生成truststore JKS文件 root.truststore
    //这一步只针对双向认证,单向不需要
    keytool -keystore root.truststore -keypass 123456 -storepass 123456 -alias ca -import -trustcacerts -file /tmp/ca/root.crt
    键入回事后,提示是否信息此证书,输入yes, 则生成truststore成功
    

    制作service服务器端证书

    1.创建服务器证书密钥 server.key
    openssl genrsa -des3 -out server.key 2048
    
    输出内容为:
    Generating RSA private key, 2048 bit long modulus
    ...........................+++
    ...............+++
    e is 65537 (0x010001)
    Enter pass phrase for server.key: ← 输入前面创建的密码
    Verifying - Enter pass phrase for server.key: ← 重新输入一遍密码
    运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施! 
    去除key文件口令的命令: 
    openssl rsa -in server.key -out server.key
    
    2.创建服务器证书的申请文件 server.csr
    openssl req -new -key server.key -out server.csr
    
    输出内容为:
    Enter pass phrase for server.key: ← 输入前面创建的密码
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter ‘.’, the field will be left blank. 
    —– 
    Country Name (2 letter code) [AU]:US ← 国家名称,美国输入US 
    State or Province Name (full name) [Some-State]:Houston ← 省名,拼音 
    Locality Name (eg, city) []:Houston ← 市名,拼音 
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:hp ← 公司英文名 
    Organizational Unit Name (eg, section) []:hp ← 可以不输入 我输入的公司名称
    Common Name (eg, YOUR name) []:nova.scs.hpicorp.net(15.99.72.165) ← 域名(或者IP),若填写不正确,浏览器会报告证书无效,但并不影响使用
    Email Address []:admin@hp.com ← 电子邮箱,可随便填
    
    Please enter the following ‘extra’ attributes 
    to be sent with your certificate request 
    A challenge password []: ← 可以不输入 
    An optional company name []: ← 可以不输入


    创建完后可以用命令openssl req -text -noout -in server.csr 验证一下是否有如下信息

    [root@localhost ca]# openssl req -text -noout -in server.csr
    Certificate Request:
    Data:
    Version: 1 (0x0)
    Subject: C = US, ST = Houston, L = Houston, O = hp, OU = hp, CN = 192.168.0.168, emailAddress = aaa
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:be:f8:d1:da:8f:fb:0c:24:a2:61:f6:f6:b2:85:
    d9:e8:be:f9:07:73:5a:4d:96:c2:99:e7:ec:6f:3e:
    a2:d0:58:f5:0a:4a:91:f9:6a:5a:51:28:10:b4:86:
    cb:e6:6c:61:75:90:90:5c:93:81:dc:38:11:eb:0d:
    1b:87:ea:f0:8f:73:6a:8e:37:92:03:19:b3:e2:5f:
    77:3a:98:bf:00:99:e0:e2:dd:ca:44:4f:b3:59:ec:
    8d:f6:bc:54:f5:b2:15:d0:e6:51:66:8b:9b:1d:06:
    15:db:5b:25:b9:d5:99:5b:78:64:20:72:7e:2c:be:
    54:9b:31:d7:b0:51:95:71:87:38:7d:bc:db:30:8a:
    9f:b6:8e:09:4c:40:df:3a:fd:15:4d:c1:81:f8:7b:
    28:e2:0d:2e:d0:92:db:19:1d:b4:fe:ca:e9:75:05:
    e2:f8:72:49:a3:8d:80:4b:19:c3:05:9d:48:d4:fc:
    51:c7:c4:82:d3:b1:b2:8b:00:50:74:b8:8f:af:16:
    7d:6e:52:92:36:9a:53:18:e9:f7:62:04:cc:fa:17:
    78:5a:bd:0f:c9:f3:d2:83:10:26:21:af:26:df:09:
    38:92:34:f0:5b:7c:9e:8b:a1:c8:af:b6:4d:08:7f:
    f6:fd:a3:77:b8:51:35:df:c6:e3:53:b7:fa:4d:1d:
    53:d9
    Exponent: 65537 (0x10001)
    Attributes:
    Requested Extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    X509v3 Key Usage:
    Digital Signature, Non Repudiation, Key Encipherment
    X509v3 Subject Alternative Name:
    DNS:kb.example.com, DNS:helpdesk.example.org, DNS:systems.example.net, IP Address:192.168.0.100, IP Address:192.168.0.168, IP Address:192.168.0.169, IP Address:192.168.0.106
    Signature Algorithm: sha256WithRSAEncryption
    39:1e:18:ec:c3:06:10:6d:49:75:03:ec:29:68:ae:cd:ad:e7:
    c0:45:51:2a:ff:1d:06:fc:08:22:a3:61:d9:3e:92:b1:d4:5e:
    d9:ff:42:58:94:0c:35:cc:b4:89:f1:6c:2d:d2:ca:76:30:f0:
    95:e0:eb:1b:37:a8:d4:a4:a4:80:c8:19:76:6f:ad:e8:12:e1:
    a1:9b:6b:28:ae:45:6d:3a:57:35:ff:36:9f:81:41:ca:4e:da:
    9f:59:f2:61:12:bd:ef:8d:c9:ed:7f:48:78:03:39:fa:46:de:
    e0:d7:ae:c1:fc:df:5f:21:b8:17:05:84:69:51:af:a0:0c:cb:
    7d:fd:3b:b5:a8:ab:83:33:d7:fd:aa:c4:93:e3:dc:72:df:0d:
    c3:2f:b2:61:af:a9:c0:cc:e2:b8:8d:09:5a:57:2f:26:4a:ec:
    b4:b0:79:05:07:2c:a0:48:cc:a0:fb:70:93:d8:33:22:e2:58:
    27:5d:48:dd:2b:ca:1d:c1:82:93:80:f8:87:f2:99:b7:6e:be:
    a4:0b:34:a5:45:7b:f7:df:59:95:ce:0d:c5:0b:1c:b0:63:5f:
    f5:61:d4:db:cc:a7:57:fe:28:b5:1a:f5:13:c3:0c:04:82:d2:
    d1:b8:e0:23:c8:c5:c9:60:5c:b9:df:8f:85:1b:1a:fe:ed:c4:
    1f:4d:3d:fd












    3.创建自当前日期起有效期为期十年的服务器证书 server.crt
    openssl x509 -req -days 3650 -sha256 -extfile /usr/local/openssl/ssl/openssl.cnf -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
    
    输出内容为:
    Signature ok 
    subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./CN=www.mycompany.com/emailAddress=admin@mycompany.com 
    Getting CA Private Key 
    Enter pass phrase for root.key: ← 输入前面创建的密码
    
    4.导出.p12文件 server.p12
    openssl pkcs12 -export -in /tmp/ca/server.crt -inkey /tmp/ca/server.key -out  /tmp/ca/server.p12 -name "server"
    根据命令提示,输入server.key密码,创建p12密码。
    
    5.将.p12 文件导入到keystore JKS文件 server.keystore
    keytool -importkeystore -v -srckeystore  /tmp/ca/server.p12 -srcstoretype pkcs12 -srcstorepass nova123456 -destkeystore /tmp/ca/server.keystore -deststoretype jks -deststorepass nova123456
    这里srcstorepass后面的nova123456为server.p12的密码deststorepass后的nova123456为keyStore的密码
    

    制作client客户端证书

    1.创建客户端证书密钥文件 client.key
    openssl genrsa -des3 -out client.key 2048
    
    输出内容为:
    Generating RSA private key, 2048 bit long modulus
    ...............................+++
    .........................+++
    e is 65537 (0x010001)
    Enter pass phrase for client.key: ← 输入一个新密码 
    Verifying – Enter pass phrase for client.key: ← 重新输入一遍密码
    
    2.创建客户端证书的申请文件 client.csr
    openssl req -new -key client.key -out client.csr
    
    输出内容为:
    Enter pass phrase for client.key: ← 输入上一步中创建的密码 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter ‘.’, the field will be left blank. 
    —– 
    Country Name (2 letter code) [AU]:CN ← 国家名称,中国输入CN 
    State or Province Name (full name) [Some-State]:BeiJing ← 省名称,拼音 
    Locality Name (eg, city) []:BeiJing ← 市名称,拼音 
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名 
    Organizational Unit Name (eg, section) []: ← 可以不填 
    Common Name (eg, YOUR name) []:Lenin ← 自己的英文名,可以随便填 
    Email Address []:admin@mycompany.com ← 电子邮箱,可以随便填
    
    Please enter the following ‘extra’ attributes 
    to be sent with your certificate request 
    A challenge password []: ← 可以不填 
    An optional company name []: ← 可以不填
    
    3.创建一个自当前日期起有效期为十年的客户端证书 client.crt
    openssl x509 -req -days 3650 -sha256 -extfile /usr/local/openssl/ssl/openssl.cnf -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in client.csr -out client.crt
    
    输出内容为:
    Signature ok 
    subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./CN=www.mycompany.com/emailAddress=admin@mycompany.com 
    Getting CA Private Key 
    Enter pass phrase for root.key: ← 输入上面创建的密码
    
    4.导出.p12文件 client.p12
    openssl pkcs12 -export -in /tmp/ca/client.crt -inkey /tmp/ca/client.key -out  /tmp/ca/client.p12 -name "client"
    根据命令提示,输入client.key密码,创建p12密码。
    

    • 解释
    名称 
    crt证书 只含有公钥
    p12证书 是包含证书(含公钥)和私钥
    JKS(Java key store) 存放密钥的容器。.jks .keystore .truststore等
    KeyStore 服务器的密钥存储库,存服务器的公钥私钥证书
    TrustStore 服务器的信任密钥存储库,存CA公钥

    • 单向认证需要文件
    名称 
    root.crt 客户端使用的CA根证书
    server.keystore 服务端证书存放的容器
    • 双向认证需要文件
    名称 
    root.crt 客户端使用的CA根证书
    client.p12 客户端证书包含私钥
    root.truststore CA公钥存放到受信赖的容器
    server.keystore 服务端证书存放的容器

    单向认证

    客户端只需要安装root.crt这个CA根证书
    服务器端配置server.keystore

    配置Tomcat

    1.关闭tomcat
    tomcat的bin目录下执行
    shutdown.sh
    
    2.将keystore文件(server.keystore) 放在web服务器上
    cp /tmp/ca/server.keystore /你的tomcat根目录/conf
    
    3.修改server.xml配置文件
    cd /你的tomcat根目录/conf
    vi server.xml
    
    找到下面被注释的代码,删除注释符并修改内容(vi命令操作)
        <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                   keystoreFile="/你的tomcat根目录/conf/server.keystore"
                   keystorePass="123456"
                   clientAuth="false" sslEnabledProtocols="TLSv1.2"
                   ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                                   TLS_RSA_WITH_AES_128_CBC_SHA256,
                                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                                   TLS_RSA_WITH_3DES_EDE_CBC_SHA,
                                   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" />
    
    4.启动tomcat
    tomcat的bin目录下执行
    startup.sh
    
    5.访问https服务
    https://localhost:8443/
    https://192.168.1.1:8443/  你的IP
    

    双向认证

    客户端需要安装root.crt这个CA根证书,client.p12这个客户端证书
    服务器端配置server.keystore,root.truststore

    配置Tomcat

    1.关闭tomcat
    tomcat的bin目录下执行
    shutdown.sh
    
    2.将keystore文件(server.keystore) 放在web服务器上
    cp /tmp/ca/server.keystore /你的tomcat根目录/conf
      将truststore文件(root.truststore) 放在web服务器上
    cp /tmp/ca/root.truststore /你的tomcat根目录/conf
    
    3.修改server.xml配置文件
    cd /你的tomcat根目录/conf
    vi server.xml
    
    找到下面被注释的代码,删除注释符并修改内容(vi命令操作)
        <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                   keystoreFile="/你的tomcat根目录/conf/server.keystore"
                   keystorePass="123456"
                   truststoreFile="/你的tomcat根目录/conf/root.truststore"
                   truststorePass="123456"
                   clientAuth="true" sslEnabledProtocols="TLSv1.2"
                   ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                                   TLS_RSA_WITH_AES_128_CBC_SHA256,
                                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                                   TLS_RSA_WITH_3DES_EDE_CBC_SHA,
                                   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" />
    注意!clientAuth为true。这里和单向的不同。
    
    4.启动tomcat
    tomcat的bin目录下执行
    startup.sh
    
    5.访问https服务
    https://localhost:8443/
    https://192.168.1.1:8443/  你的IP
    

    完成。可以让你的前端通过https协议访问你的接口了,注意此时的接口是8443.


    ios开发

    请参考下面文章
    https请求之iOS客户端---AFNetworking


    参考文章

    1.SSL证书生成方法
    2.Tomcat6配置使用SSL双向认证(使用openssl生成证书)
    3.Linux下生成https自签名证书,解决苹果发布问题重新整理
    4.用tomcat配置https自签名证书,解决 ios7.1以上系统, 苹果inHouse发布



    作者:易明INM
    链接:https://www.jianshu.com/p/045f95c008a0
    來源:简书
    简书著作权归作者所有,任何形式的转载都请联系作者获得授权并注明出处。

  • 相关阅读:
    上班不再能上msn了
    小龟不用冬眠了
    Sonne学摄影(3)上海汽车展汽车
    新年提醒银行卡的用户注意了
    转贴:49届世乒赛海外名将介绍究竟谁会对中国队构成威胁??
    用两个词形容现在的生活:忙碌,充实
    终于加入胖友一族
    上海人
    相互残杀
    王励勤,好样的!看49届世乒赛男单决赛
  • 原文地址:https://www.cnblogs.com/xiaohanlin/p/10213966.html
Copyright © 2020-2023  润新知