使用版本JDK1.7,tomcat 7.0.39,openssl安装版0.9.8
使用操作系统 win7
命令行:
1.生成CA私钥以及自签名根证书
①生成CA私钥
openssl genrsa -out F:\CA\ca-key.pem 1024
②生成待签名根证书
openssl req -new -x509 -keyout F:\CA\ca-key.pem -out F:\CA\ca-req.csr -config openssl.cnf
③用CA私钥对根证书进行自签名
openssl x509 -req -in F:\CA\ca-req.csr -out F:\CA\ca-cert.pem -signkey F:\CA\ca-key.pem -days 365
2.生成server端证书
①生成KeyPair,最好keyPass与storePass一样,方便
keytool -genkey -alias ying -validity 365 -keyalg RSA -keysize 1024 -keypass yingevil -storepass yingevil -dname "cn=localhost,ou=department,o=company,l=Beijing,st=Beijing,c=CN" -keystore F:\CA\ying.jks
②生成待签名证书
keytool -certreq -alias ying -sigalg MD5withRSA -file F:\CA\ying.csr -keypass yingevil -keystore F:\CA\ying.jks -storepass yingevil
③用CA私钥进行签名
openssl x509 -req -in F:\CA\ying.csr -out F:\CA\ying-cert.pem -CA F:\CA\ca-cert.pem -CAkey F:\CA\ca-key.pem -days 365 -set_serial 1
3.导入信任的CA根证书到JAVA的默认位置%JAVA_HOME%\jre\lib\security\cacerts
keytool -import -v -trustcacerts -storepass changeit -alias root_ying -file F:\CA\ca-cert.pem -keystore %JAVA_HOME%\jre\lib\security\cacerts
4.把CA签名后的server端证书导入keystore
keytool -import -v -trustcacerts -storepass yingevil -alias ying -file F:\CA\ying-cert.pem -keystore F:\CA\ying.jks
5.查看server端的keystore,查看JDK
keytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts"
6.Tomcat服务器端,在conf/server.xml中加入下面一段配置
<Connector port="443"
protocol="HTTP/1.1" SSLEnabled="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLCertificateFile="F:\server\apache-tomcat-7.0.39\conf\ca-cert.cer"
SSLCertificateKeyFile="F:\server\apache-tomcat-7.0.39\conf\ca-key.pem"
keystoreFile="F:\server\apache-tomcat-7.0.39\conf\ying.jks"
keystorePass="yingevil"/>
最后将ying.jks,ca-cert.cer(原身是ca-cert.pem,.pem文件是ASCII编码的,直接改文件格式为.cer就可以),ca-key.pem三个文件拷贝到服务器conf下即可。
将java keystore file转化为p12格式:
keytool -importkeystore -srckeystore ying.jks -destkeystore ying.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass yingevil -deststorepass yingevil -srcalias ying -destalias ying -srckeypass yingevil -destkeypass yingevil -noprompt
7.服务端网络程序中的web.xml也要配置一下(加入下面一段即可),这样可以自动将http协议强制转换成https协议访问
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
可查阅官方文档 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
新建openssl.conf可参考:http://www.openssl.org/docs/apps/req.html#EXAMPLES
参考文章
http://zhumeng8337797.blog.163.com/blog/static/100768914201241645258903/
http://yushan.iteye.com/blog/434955
