证书生成及TOMCAT下部署SSL认证的步骤说明

系统环境：

windows xp / jdk6 / tomcat7 / openssl

openssl 使用的是官方1.0.0.d 下载地址：http://www.openssl.org/related/binaries.html

 

软件环境准备：

默认安装openssl，路径为c:\OpenSSL-Win32。在e盘建一个名为cawork的目录。

－到c:\openssl-win32\bin目录下找到openssl.cfg，拷贝到cawork中，打开它，编辑[ CA_default ]节中的dir项目，设为.，即当前目录。如下：

dir=. #Where everything is kept

－在cawork中建一个空的index.txt文件（保存已签发的证书信息，openssl用的，我们不用管，但是一定要建）

－在cawork中建一个serial文件，里面写上“01”2个字符（没有双引号），这个文件用于签发证书时的编号

－在cawork中建一个空的目录 newcerts，用于存放签发证书的副本（没啥用，但是不建的话会报错）

 

具体操作步骤：

 

1. 生成根证书及对应的私钥，并设置密码

E:\cawork>openssl req -utf8 -x509 -newkey rsa:2048 -out root.cer -keyout rootKey.pem -days 3650

Loading 'screen' into random state - done

Generating a 2048 bit RSA private key

......+++

...................................................+++

writing new private key to 'rootKey.pem'

Enter PEM pass phrase:  输入私钥的密码，后面会用到。这里我用的是rootkey

Verifying - Enter PEM pass phrase: （重复输入）

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:（下面填一些证书的信息）

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:

Email Address []:

执行完毕，我们得到几个文件：根证书文件 root.cer   私钥文件 rootKey.pem

 

 2. 生成服务器证书请求及对应的私钥，并设置密码

E:\cawork>openssl req -newkey rsa:1024 -keyout serverKey.pem -out serverRequest.pem -days 365

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

...................................................++++++

.++++++

writing new private key to 'serverKey.pem'

Enter PEM pass phrase: 输入私钥的密码，后面会用到。这里我用的是serverkey

Verifying - Enter PEM pass phrase: （重复输入）

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:www.cas-server.com（必须和域名相符合，不然部署的时候会提示证书有问题）

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

执行完毕，得到服务器的证书请求文件serverRequest.pem和私钥文件 serverKey.pem

 

3. 发布证书

E:\cawork>c:\openssl-win32\bin\openssl.exe ca -config "./openssl.cfg" -cert root.cer -keyfile rootKey.pem -in serverRequest.pem -out server.cer

Using configuration from ./openssl.cfg

Loading 'screen' into random state - done

Enter pass phrase for rootKey.pem: （rootkey）

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug 22 08:23:15 2011 GMT

            Not After : Aug 21 08:23:15 2012 GMT

        Subject:

            countryName               = AU

            stateOrProvinceName       = Some-State

            organizationName          = Internet Widgits Pty Ltd

            commonName                = www.cas-server.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                48:8E:0E:46:D4:CC:26:6C:B9:4A:61:19:FC:AB:8D:DA:4E:9E:FA:5C

            X509v3 Authority Key Identifier:

                keyid:BE:83:33:87:FD:A0:ED:0C:6A:F7:2A:8A:B0:C4:0C:B8:AC:C1:67:07

 

Certificate is to be certified until Aug 21 08:23:15 2012 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

这样就得到了服务器证书server.cer

 

4.按上面2、3两步可以再生成用于客户端认证的证书。

 

5. 把服务器证书连同根证书导出成pkcs12格式的证书

E:\cawork>openssl pkcs12 -export -in server.cer -inkey serverKey.pem -out server.p12 -chain -CAfile root.cer

Loading 'screen' into random state - done

Enter pass phrase for serverKey.pem:（serverkey）

Enter Export Password:（server）

Verifying - Enter Export Password:（server）

 

6.配置tomcat，修改/conf/server.xml的内容

 

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

                               keystoreFile="E:/cawork/server.p12" keystorePass="server" keystoreType="pkcs12"

                               clientAuth="false" sslProtocol="TLS" />