转自 http://11lingxian.iteye.com/blog/1491607

双向认证:

  1. 客户端向服务器发送消息,首先把消息用客户端证书加密然后连同时把客户端证书一起发送到服务器端,
  2. 服务器接到消息后用首先用客户端证书把消息解密,然后用服务器私钥把消息加密,把服务器证书和消息一起发送到客户端,
  3. 客户端用发来的服务器证书对消息进行解密,然后用服务器的证书对消息加密,然后在用客户端的证书对消息在进行一次加密,连同加密消息和客户端证书一起发送到服务器端,
  4. 到服务器端首先用客户端传来的证书对消息进行解密,确保消息是这个客户发来的,然后用服务器端的私钥对消息在进行解密这个便得到了明文数据。

单向认证:

  1. 客户端向服务器发送消息,
  2. 服务器接到消息后,用服务器端的密钥库中的私钥对数据进行加密,然后把加密后的数据和服务器端的公钥一起发送到客户端,
  3. 客户端用服务器发送来的公钥对数据解密,然后在用传到客户端的服务器公钥对数据加密传给服务器端,
  4. 服务器用私钥对数据进行解密,

这就完成了客户端和服务器之间通信的安全问题,但是单向认证没有验证客户端的合法性。

==========================

openssl在windows上的安装

从此处下载openssl for windows

http://gnuwin32.sourceforge.net/packages/openssl.htm

解压,并设置PATH环境变量指向其bin文件夹

下载openssl的配置文件http://www.securityfocus.com/data/tools/openssl.conf

并将其拷到一个文件夹下,以便用命令行指定,这里是c:/ssl/下

否则运行时会报Unable to load config info from /usr/local/ssl/openssl.cnf错误

=============================

以下安装配置环境为linux,tomcat-5.5.30

一、建立目录

  1. cd /home
  2. mkdir ssl
  3. cd ssl
  4. mkdir ca
  5. mkdir client
  6. mkdir server

创建一个证书的步骤:

(1)生成系统私钥

(2)生成待签名证书

(3)生成x509证书, 用CA私钥进行签名

(4)导成浏览器支持的p12格式证书

二:生成CA证书

目前不使用第三方权威机构的CA来认证,自己充当CA的角色。

1. 创建私钥 :

openssl genrsa -out ca/ca-key.pem 1024

2.创建证书请求 :

openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:ca

Email Address []:ca@ca.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3.自签署证书 :

openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650

4.将证书导出成浏览器支持的.p12格式 :

openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12

密码:123456

三.生成server证书

1.创建私钥 :

openssl genrsa -out server/server-key.pem 1024

2.创建证书请求 :

openssl req -new -out server/server-req.csr -key server/server-key.pem

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:localhost   #此处一定要写服务器所在ip

Email Address []:server@server.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3.自签署证书 :

openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650

4.将证书导出成浏览器支持的.p12格式 :

openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12

密码:123456

四.生成client证书 

1.创建私钥 :

openssl genrsa -out client/client-key.pem 1024

2.创建证书请求 :

openssl req -new -out client/client-req.csr -key client/client-key.pem

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:dong

Email Address []:dong@dong.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3.自签署证书 :

openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650

4.将证书导出成浏览器支持的.p12格式 :

openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12

密码:123456

五.根据ca证书生成jks文件 (java keystore)

keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file ca/ca-cert.pem

六.配置tomcat ssl

修改conf/server.xml。tomcat6中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径

tomcat 5.5的配置:

  1. <Connector port="8443" maxHttpHeaderSize="8192"
  2. maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
  3. enableLookups="false" disableUploadTimeout="true"
  4. acceptCount="100" scheme="https" secure="true"
  5. clientAuth="true" sslProtocol="TLS"
  6. keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
  7. truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" />

tomcat6.0的配置:

  1. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
  2. maxThreads="150" scheme="https" secure="true"
  3. clientAuth="true" sslProtocol="TLS"
  4. keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
  5. truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>

tomcat7.0的配置:

jsse模式

  1. <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
  2. enableLookups="false" disableUploadTimeout="true"
  3. acceptCount="100" scheme="https" secure="true"
  4. clientAuth="false"  sslProtocol="TLS"
  5. keystoreFile="G:\360data\重要数据\.keystore" keystorePass="changeit"
  6. truststoreFile="E:\Program Files\Java\jdk1.6.0_14\jre\lib\security\cacerts" truststorePass="222222" truststoreType="JKS"
  7. SSLEnabled="true"   protocol="org.apache.coyote.http11.Http11NioProtocol"
  8. />

 APR模式

  1. <Connector port="8443"
  2. protocol="org.apache.coyote.http11.Http11AprProtocol"
  3. maxThreads="150"
  4. enableLookups="false" disableUploadTimeout="true"
  5. acceptCount="100" scheme="https" secure="true"
  6. clientAuth="true"
  7. SSLEnabled="true"
  8. SSLProtocol="all"
  9. SSLCipherSuite="ALL"
  10. SSLCertificateFile="../conf/ssl/server-cert.pem"
  11. SSLCertificateKeyFile="../conf/ssl/server-key.pem"
  12. SSLCACertificateFile="../conf/ssl/ca-cert.pem"
  13. SSLCACertificatePath="../conf/ssl"
  14. SSLVerifyDepth="15"
  15. SSLVerifyClient="require"
  16. />

七、测试(linux下)

openssl s_client -connect localhost:8443 -cert /home/ssl/client/client-cert.pem -key /home/ssl/client/client-key.pem -tls1 -CAfile /home/ssl/ca/ca-cert.pem -state -showcerts

GET /index.jsp HTTP/1.0

八、导入证书

服务端导入server.P12 和ca.p12证书

客户端导入将ca.p12,client.p12证书

IE中(打开IE->;Internet选项->内容->证书)

ca.p12导入至受信任的根证书颁发机构,client.p12导入至个人

Firefox中(工具-选项-高级-加密-查看证书-您的证书)

将ca.p12和client.p12均导入这里

注意:ca,server,client的证书的common name(ca=ca,server=localhost,client=dong)一定不能重复,否则ssl不成功

九、tomcat应用程序使用浏览器证书认证

在server/webapps/manager/WEB-INF/web.xml中,将BASIC认证改为证书认证

  1. <login-config>
  2. <auth-method>CLIENT-CERT</auth-method>
  3. <realm-name>Tomcat Manager Application</realm-name>
  4. </login-config>

在conf/tomcat-users.xml中填入下列内容

  1. <?xml version='1.0' encoding='utf-8'?>
  2. <tomcat-users>
  3. <role rolename="manager"/>
  4. <role rolename="admin"/>
  5. <role rolename="user"/>
  6. <user username="EMAILADDRESS=dong@dong.com, CN=dong, OU=tb, O=tb, L=bj, ST=bj, C=cn" password="null" roles="admin,user,manager"/>
  7. </tomcat-users>

访问http://localhost:8443即可验证ssl是否成功

访问http://localhost:8443/manager/html可验证应用程序利用client证书验证是否成功

Used keytool to self-author a server certificate for DEMO

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\ukari>cd \program*

The filename, directory name, or volume label syntax is incorrect.

C:\Program Files>cd java

C:\Program Files\Java>cd jdk*

C:\Program Files\Java\jdk1.5.0_11>cd bin

C:\Program Files\Java\jdk1.5.0_11\bin>keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

Enter keystore password:  changeit

What is your first and last name?

  [Unknown]:  compA

What is the name of your organizational unit?

  [Unknown]:  Information Systems

What is the name of your organization?

  [Unknown]:  Pacific Disaster Center

What is the name of your City or Locality?

  [Unknown]:  Kihei

What is the name of your State or Province?

  [Unknown]:  HI

What is the two-letter country code for this unit?

  [Unknown]:  US

Is CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US correct?

  [no]:  yes

C:\Program Files\Java\jdk1.5.0_11\bin>keytool -export -alias tomcat -keypass changeit -file server.crt

Enter keystore password: changeit

Certificate stored in file <server.crt>

C:\Program Files\Java\jdk1.5.0_11\bin>keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts

Enter keystore password: changeit

Owner: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US

Issuer: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US

Serial number: 462030d8

Valid from: Fri Apr 13 15:39:36 HST 2007 until: Thu Jul 12 15:39:36 HST 2007

Certificate fingerprints:

MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD

SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE

Trust this certificate? [no]: yes

Certificate was added to keystore

C:\Program Files\Java\jdk1.5.0_11\bin>

如果 下面这行出现错误:

keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts

那么查看是否已存在 “..\jre\lib\security\cacerts” 这个文件,存在的话,备份删除,重试就OK了

最新文章

  1. CSS学习笔记——视觉格式化模型 visual formatting model
  2. GCC编译过程
  3. Xenocode Postbuild 2010 for .NET 使用说明
  4. LED应用照明产品常识关键点
  5. Palindrome Partitioning II Leetcode java
  6. SqlSever基础 ltrim函数 除去字符串左边的空格,右边的中间的不管
  7. Java基本开发环境搭建(适合第一次使用)
  8. RAID
  9. [POJ1159]Palindrome(dp,滚动数组)
  10. emWin(ucGui)数值显示例程 -【worldsing笔记】
  11. Unity3D 画线插件 Vectrosity_Simple2DLine
  12. C# 泛型转换 将object[] 数组转换为泛型列表
  13. 【 D3.js 入门系列 --- 9.1 】 生产饼图
  14. jenkins的搭建
  15. R实战 第三篇:数据处理
  16. 20165230 《Java程序设计》第1周学习总结
  17. 浅谈Linux文件与目录权限
  18. DTP协议攻击
  19. redis连接池的标准用法:
  20. sparse representation 与sparse coding 的区别的观点

热门文章

  1. python(十三):网络编程之socket与socketserver
  2. HTMLTestRunner显示用例打印内容
  3. Oracle基础查询
  4. bower.json 的版本范围
  5. myeclipse部署maven项目到tomcat,src/main/resources里面配置文件部署不到webapp下classes
  6. 使用Apache POI操作Excel文件---在已有的Excel文件中插入一行新的数据
  7. 传输类型为 &quot;multipart/form-data&quot; 的传送写法 (上传文件 和图片)
  8. SQL Server、Oracle和MySQL判断NULL的方法
  9. 009:JSON
  10. 十三 Thread的一些常用方法