tomcat双向认证服务器部署

原始出处http://520and519.blog.51cto.com/2254416/1432514一、准备环境搭建平台：linux+apache-tomcat-7.0.35.tar.gz二、生成CA证书创建目录：#mkdir ca client server目前不使用第三方权威机构的CA来认证，自己充当CA的角色。 2.1 创建私钥#openssl genrsa -out ca/ca-key.pem 1024 2.2 创建证书请求#openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem-----Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:caEmail Address []:ca@ca.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:2.3 自签署证书#openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650 2.4 将证书导出成浏览器支持的.p12格式#openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12 密码：123456三、生成server证书3.1 创建私钥 #openssl genrsa -out server/server-key.pem 1024 3.2 创建证书请求#openssl req -new -out server/server-req.csr -key server/server-key.pem-----Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:localhost #此处一定要写服务器所在ipEmail Address []:server@server.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:3.3 自签署证书#openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 3.4 将证书导出成浏览器支持的.p12格式#openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12 密码：123456四、生成client证书4.1 创建私钥#openssl genrsa -out client/client-key.pem 1024 4.2 创建证书请求#openssl req -new -out client/client-req.csr -key client/client-key.pem-----Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:dongEmail Address []:dong@dong.com Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []: 4.3 自签署证书#openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 4.4将证书导出成浏览器支持的.p12格式#openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 密码：1234564.5 根据ca证书生成jks文件 (java keystore)#keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file ca/ca-cert.pem#keytool -import -keystore truststore.jks -keypass 222222 -storepass 222222 -alias client -import -trustcacerts -file client/client-cert.pem ------导入client证书，让服务器信任client证书#keytool -list -v -keystore truststore.jks --查看keystore，密码：222222五、配置tomcat ssl修改conf/server.xml。tomcat中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径 xml 代码修改如下： <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/root/ca/server/server.p12" keystorePass="123456" keystoreType="PKCS12" truststoreFile="/root/ca/truststore.jks" truststorePass="222222" truststoreType="JKS"/> 属性说明：clientAuth:设置是否双向验证，默认为false，设置为true代表双向验证keystoreFile:服务器证书文件路径keystorePass:服务器证书密码truststoreFile:用来验证客户端证书的根证书，此例中就是ca证书truststorePass:根证书密码六、客户端验证
启动tomcat服务，客户端导入client.p12证书，然后访问https://ip:8443