本文档详细介绍了如何使用 OpenSSL 创建证书并将其导入 Java KeyStore 中,进而配置 Apache Tomcat 服务器支持 SSL 加密连接及客户端认证的过程。具体步骤包括生成 OpenSSL 密钥和证书请求、创建服务器证书和密钥库、配置应用服务器等。
感谢:[url]http://emo.sourceforge.net/cert-login-howto.html[/url]
有些命令参数有变化,自己整理了下过程
1.Create OpenSSL keys and request -- run OpenSSL as administrator
1).openssl> req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
2).openssl> x509 -trustout -signkey ca.key -days 1825 -req -in ca.csr -out ca.pem
3).Create txt file named "ca.srl" and give the file the contents "02" and save it
2.Create a server certificate and keystore
1).go to the %JAVA_HOME%/jre/bin folder run keytool command as administrator
>keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -validity 365 -keystore tomcat.keystore
2).Next we import the certificate created in OpenSSL:
>keytool -import -keystore tomcat.keystore -file ca.pem
3.Configure the application server
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:/Program Files/Java/jdk1.7.0_21/jre/bin/tomcat.keystore"
truststoreFile="C:/Program Files/Java/jdk1.7.0_21/jre/bin/tomcat.keystore"
keystorePass="changeit"
truststorePass="changeit"/>
4.Set Up Client Authentication
1).openssl> req -new -newkey rsa:1024 -nodes -out client1.req -keyout client1.key
2).openssl> x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem
3).openssl> pkcs12 -export -in client1.pem -inkey client1.key -out client1.p12 -name "Sample Client Cert"
If you are using the Firefox browser, you can reach this via Tools -> Options.
Click on the Advanced tab,and click "Encryption" and click on the "View Certificates" button.
The screen displayed will have the option to import a new certificate.
有些命令参数有变化,自己整理了下过程
1.Create OpenSSL keys and request -- run OpenSSL as administrator
1).openssl> req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
2).openssl> x509 -trustout -signkey ca.key -days 1825 -req -in ca.csr -out ca.pem
3).Create txt file named "ca.srl" and give the file the contents "02" and save it
2.Create a server certificate and keystore
1).go to the %JAVA_HOME%/jre/bin folder run keytool command as administrator
>keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -validity 365 -keystore tomcat.keystore
2).Next we import the certificate created in OpenSSL:
>keytool -import -keystore tomcat.keystore -file ca.pem
3.Configure the application server
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:/Program Files/Java/jdk1.7.0_21/jre/bin/tomcat.keystore"
truststoreFile="C:/Program Files/Java/jdk1.7.0_21/jre/bin/tomcat.keystore"
keystorePass="changeit"
truststorePass="changeit"/>
4.Set Up Client Authentication
1).openssl> req -new -newkey rsa:1024 -nodes -out client1.req -keyout client1.key
2).openssl> x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem
3).openssl> pkcs12 -export -in client1.pem -inkey client1.key -out client1.p12 -name "Sample Client Cert"
If you are using the Firefox browser, you can reach this via Tools -> Options.
Click on the Advanced tab,and click "Encryption" and click on the "View Certificates" button.
The screen displayed will have the option to import a new certificate.
扫一扫
7400
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
