本文详细介绍了如何使用Java工具生成证书密钥对,制作证书签名请求,并将其导入到keystore中。进一步指导如何在Tomcat服务器上进行SSL配置,实现HTTPS服务。包括了使用OpenSSL进行证书签名、证书转换等步骤。
Step 1)
First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.
At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore
Fill in all the information that is asked.
A keystore with the name name.keystore is generated.
Step 2)
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate
keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr
Enter the keystore password.
A < CSR file name>.csr file is generated.
If you are getting the CSR signed by a certifying authority, then skip the next step.
Step 3)
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:
(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL)
To Sign the certificate:
Make a new directory:
cd usr/local/
mkdir newCA
Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/
Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (“.” Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (“.” Specifies current directory where everything is kept)
Create the certificates for Certification Authority:
cd newCA
chmod 744 CA.sh (only if necessary)
CA.sh –newca
ls -l
Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate
cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
cd /usr/local/newCA
Create the certificate
openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM
Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:
openssl x509 -inform pem -outform der < cacert.pem > cacert.cer
We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):
Step 4)
keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore
Step 5)
keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore
Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.
Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
1. $JBOSS_DIST/server/default/conf/jboss-service.xml
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
name="jboss.security:service=JaasSecurityManager">
<attribute name="SecurityManagerClassName">
org.jboss.security.plugins.JaasSecurityDomain
</attribute>
</mbean>
2. $JBOSS_DIST/server/default/conf/jboss-service.xml
Add the below lines after the paragraph mentioned above in jboss-service.xml
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="Security:service=JaasSecurityDomain,domain=TomcatSSL">
<depends>jboss.security:service=JaasSecurityManager</depends>
<constructor>
<arg type="java.lang.String" value="TomcatSSL" />
</constructor>
<attribute name="KeyStoreURL">put the path to your name.keystore file here</attribute>
<attribute name="KeyStorePass">put your name.keystore password here</attribute>
</mbean>
3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443
Add the following lines:
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" enableLookups="true" scheme="https" secure="true" debug="0">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
keystoreFile="d:\.keystore" keystorePass="123456" clientAuth="false" protocol="TLS"/>
</Connector>
After:
<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>
When you connect to your server now, don't use port http://localhost:8080, use https://localhost:8443 instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.
First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.
At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore
Fill in all the information that is asked.
A keystore with the name name.keystore is generated.
Step 2)
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate
keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr
Enter the keystore password.
A < CSR file name>.csr file is generated.
If you are getting the CSR signed by a certifying authority, then skip the next step.
Step 3)
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:
(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL)
To Sign the certificate:
Make a new directory:
cd usr/local/
mkdir newCA
Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/
Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (“.” Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (“.” Specifies current directory where everything is kept)
Create the certificates for Certification Authority:
cd newCA
chmod 744 CA.sh (only if necessary)
CA.sh –newca
ls -l
Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate
cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
cd /usr/local/newCA
Create the certificate
openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM
Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:
openssl x509 -inform pem -outform der < cacert.pem > cacert.cer
We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):
Step 4)
keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore
Step 5)
keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore
Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.
Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
1. $JBOSS_DIST/server/default/conf/jboss-service.xml
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
name="jboss.security:service=JaasSecurityManager">
<attribute name="SecurityManagerClassName">
org.jboss.security.plugins.JaasSecurityDomain
</attribute>
</mbean>
2. $JBOSS_DIST/server/default/conf/jboss-service.xml
Add the below lines after the paragraph mentioned above in jboss-service.xml
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="Security:service=JaasSecurityDomain,domain=TomcatSSL">
<depends>jboss.security:service=JaasSecurityManager</depends>
<constructor>
<arg type="java.lang.String" value="TomcatSSL" />
</constructor>
<attribute name="KeyStoreURL">put the path to your name.keystore file here</attribute>
<attribute name="KeyStorePass">put your name.keystore password here</attribute>
</mbean>
3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443
Add the following lines:
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" enableLookups="true" scheme="https" secure="true" debug="0">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
keystoreFile="d:\.keystore" keystorePass="123456" clientAuth="false" protocol="TLS"/>
</Connector>
After:
<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>
When you connect to your server now, don't use port http://localhost:8080, use https://localhost:8443 instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.
扫一扫
1458
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
