跪求大虾帮忙...请大虾门耐心往下看呀!以下是从网上拿下来的制件的服务器与客户端的证书的步骤:2.生成CA密钥
openssl genrsa -out ca/ca-key.pem 1024
genrsa [产生密钥命令] ?out[密钥文件输出路径] 1024 [密钥位数]
3.生成待签名的证书
openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
req[产生证书命令]-new[新生成]-out[证书文件输出路径]-key[私钥文件路径]
4.用CA私钥自签名
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 365
x509[签发x509证书命令]-req[输入待签发证书]-in[输入待签发证书文件路径]-out[产生x509证书文件输出路径]-signkey[自签发密钥文件路径]-days[证书有效期]?CA[签发跟证书]-Cakey[根证书密钥文件] ?-CAcreateserial[创建序列号]
2.2 配置Tomcat 4.X
2.2.1建立服务器证书
[注] 在本文中用符号"%JDK_HOME%"来表示JDK的安装位置,用符号"%TCAT_HOME%" 表示Tomcat的安装位置。
1.建立工作目录
在目录下建立自己的server目录,例如:server
2.生成server密钥对
C:\j2sdk1.4.1_01\bin\keytool -genkey -alias tomcat -validity 365 -keyalg RSA -keysize 1024 -keystore server/server_keystore
-genkey[产生密钥对]-alias[密钥对别名]-validity[密钥有效期]-keyalg[密钥算法参数]-keysize[密钥位数]-keypass[密钥保护密码]-storepass[存储密码]-dname[别名相关附加信息]-keystore[密钥存储文件路径]
[注] -alias后的tomcat是密钥对的名字可替换为自己需要的名字;
-keypass与-storepass后的密码为保护密码必须6位;
其中cn是服务器的名字一定要与WEB服务器中设置的一样。
3.生成待签名证书
C:\j2sdk1.4.1_01\bin\keytool -certreq -alias tomcat -sigalg MD5withRSA -file server/server.csr -keypass allcom -keystore server/server_keystore -storepass allcom
-certreq[产生待签名证书]-alias[证书别名]-sigalg[证书算法参数]-file [产生文件输出路径]-keypass[密钥保护密码]-keystore[存储文件路径]-storepass[存储密码]
4.拷贝C:\openssl\apps\ca-cert.srl文件到ca目录
5.用CA私钥签名
openssl x509 -req -in server/server.csr -out server/server-cert.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -days 365
2.2.2将CA根证书和服务器证书导入Tomcat
1. 导入CA根证书
C:\j2sdk1.4.1_01\bin\keytool -import -v -trustcacerts -storepass allcom -alias allcom_ca_root -file ca/ca-cert.pem -keystore server/cacerts
-import[导入命令] -v?trustcacerts[导入信任证书] ?storepass[存储密码]-alias[证书别名]-file[证书文件路径]-keystore[导入文件路径]-alias为CA根证书的别名。
2.拷贝cacerts文件到C:\j2sdk1.4.1_01\jre\lib\security目录
3.导入服务器证书
C:\j2sdk1.4.1_01\bin\keytool -import -v -trustcacerts -storepass allcom -alias tomcat -file server/server-cert.pem -keystore server/server_keystore
[注] 此时的-storepass为生成证书时输入密码。-alias为服务器证书的别名。
4.查看证书
查看CA证书
C:\j2sdk1.4.1_01\bin\keytool -list -keystore server/cacerts
查看服务器证书
C:\j2sdk1.4.1_01\bin\keytool -list -keystore server/server_keystore
2.2.3修改Tomcat的配置文件
1.把文件server/ server_keystore复制到目录%TCAT_HOME%/conf下
2.修改conf目录下server.xml文件找到以下内容去掉其注释并修改。
<!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="false"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile="c:/tomcat 4.0.6/conf/server_keystore" keystorePass="allcom"/>
</Connector>
2.3 配置IE客户端
2.3.1建立Client证书
1.建立自己的Client目录,例如:client
2.生成Client密钥对
openssl genrsa -out client/client-key.pem 1024
3.生成待签名的证书
openssl req -new -out client/client-req.csr -key client/client-key.pem
4.用CA私钥签名
openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 365
5.生成Client端可以导入的个人证书
openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
pkcs12[生成PKS12格式证书命令]-export[导出文件]-clerts[仅导出client证书]-in[输入的client证书文件路径]-inkey[client证书密钥文件路径]-out[导出PKS12格式文件路径]
2.3.2将CA证书与client证书导入IE
1. 导入CA根证书
将目录ca中的ca-cert.pem改名为ca-cert.cer;
在client端的IE中使用<工具>,< Internet选项>,<内容>,<证书>,<导入>,把我们生成的CA根证书导入,使其成为用户信任的CA。
2. 导入client证书
将client证书(client.p12)导入到client端的IE中作为client证书,导入过程同上
在Tomcat中我的设置如下: <Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="E:\apache-tomcat-5.5.33\conf\server.keystore"
keystorePass="wmj911"/>
这样只能是单向的,我想设置成双向的,将clientAuth="false"改成clientAuth="true",还是不得,浏览器都没有向
想像的那样要求要证书,也没有反应
openssl genrsa -out ca/ca-key.pem 1024
genrsa [产生密钥命令] ?out[密钥文件输出路径] 1024 [密钥位数]
3.生成待签名的证书
openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
req[产生证书命令]-new[新生成]-out[证书文件输出路径]-key[私钥文件路径]
4.用CA私钥自签名
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 365
x509[签发x509证书命令]-req[输入待签发证书]-in[输入待签发证书文件路径]-out[产生x509证书文件输出路径]-signkey[自签发密钥文件路径]-days[证书有效期]?CA[签发跟证书]-Cakey[根证书密钥文件] ?-CAcreateserial[创建序列号]
2.2 配置Tomcat 4.X
2.2.1建立服务器证书
[注] 在本文中用符号"%JDK_HOME%"来表示JDK的安装位置,用符号"%TCAT_HOME%" 表示Tomcat的安装位置。
1.建立工作目录
在目录下建立自己的server目录,例如:server
2.生成server密钥对
C:\j2sdk1.4.1_01\bin\keytool -genkey -alias tomcat -validity 365 -keyalg RSA -keysize 1024 -keystore server/server_keystore
-genkey[产生密钥对]-alias[密钥对别名]-validity[密钥有效期]-keyalg[密钥算法参数]-keysize[密钥位数]-keypass[密钥保护密码]-storepass[存储密码]-dname[别名相关附加信息]-keystore[密钥存储文件路径]
[注] -alias后的tomcat是密钥对的名字可替换为自己需要的名字;
-keypass与-storepass后的密码为保护密码必须6位;
其中cn是服务器的名字一定要与WEB服务器中设置的一样。
3.生成待签名证书
C:\j2sdk1.4.1_01\bin\keytool -certreq -alias tomcat -sigalg MD5withRSA -file server/server.csr -keypass allcom -keystore server/server_keystore -storepass allcom
-certreq[产生待签名证书]-alias[证书别名]-sigalg[证书算法参数]-file [产生文件输出路径]-keypass[密钥保护密码]-keystore[存储文件路径]-storepass[存储密码]
4.拷贝C:\openssl\apps\ca-cert.srl文件到ca目录
5.用CA私钥签名
openssl x509 -req -in server/server.csr -out server/server-cert.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -days 365
2.2.2将CA根证书和服务器证书导入Tomcat
1. 导入CA根证书
C:\j2sdk1.4.1_01\bin\keytool -import -v -trustcacerts -storepass allcom -alias allcom_ca_root -file ca/ca-cert.pem -keystore server/cacerts
-import[导入命令] -v?trustcacerts[导入信任证书] ?storepass[存储密码]-alias[证书别名]-file[证书文件路径]-keystore[导入文件路径]-alias为CA根证书的别名。
2.拷贝cacerts文件到C:\j2sdk1.4.1_01\jre\lib\security目录
3.导入服务器证书
C:\j2sdk1.4.1_01\bin\keytool -import -v -trustcacerts -storepass allcom -alias tomcat -file server/server-cert.pem -keystore server/server_keystore
[注] 此时的-storepass为生成证书时输入密码。-alias为服务器证书的别名。
4.查看证书
查看CA证书
C:\j2sdk1.4.1_01\bin\keytool -list -keystore server/cacerts
查看服务器证书
C:\j2sdk1.4.1_01\bin\keytool -list -keystore server/server_keystore
2.2.3修改Tomcat的配置文件
1.把文件server/ server_keystore复制到目录%TCAT_HOME%/conf下
2.修改conf目录下server.xml文件找到以下内容去掉其注释并修改。
<!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="false"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile="c:/tomcat 4.0.6/conf/server_keystore" keystorePass="allcom"/>
</Connector>
2.3 配置IE客户端
2.3.1建立Client证书
1.建立自己的Client目录,例如:client
2.生成Client密钥对
openssl genrsa -out client/client-key.pem 1024
3.生成待签名的证书
openssl req -new -out client/client-req.csr -key client/client-key.pem
4.用CA私钥签名
openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 365
5.生成Client端可以导入的个人证书
openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
pkcs12[生成PKS12格式证书命令]-export[导出文件]-clerts[仅导出client证书]-in[输入的client证书文件路径]-inkey[client证书密钥文件路径]-out[导出PKS12格式文件路径]
2.3.2将CA证书与client证书导入IE
1. 导入CA根证书
将目录ca中的ca-cert.pem改名为ca-cert.cer;
在client端的IE中使用<工具>,< Internet选项>,<内容>,<证书>,<导入>,把我们生成的CA根证书导入,使其成为用户信任的CA。
2. 导入client证书
将client证书(client.p12)导入到client端的IE中作为client证书,导入过程同上
在Tomcat中我的设置如下: <Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="E:\apache-tomcat-5.5.33\conf\server.keystore"
keystorePass="wmj911"/>
这样只能是单向的,我想设置成双向的,将clientAuth="false"改成clientAuth="true",还是不得,浏览器都没有向
想像的那样要求要证书,也没有反应
<security-constraint>
<web-resource-collection>
<web-resource-name>must https</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>但是:输入http://localhost:8443/SS/还是可以访问我页面。。好像不起作用呀、、求大虾门帮忙呀、、不胜感激涕零...
那感觉没得说、、真想掐死他、、首先声明,以下是从网上拿下来实践成功的
SSL: Security Socket Layer Protocol
公钥与私钥:对于OpenSSL, 私钥里面也包括了公钥信息。 所以公钥不需要单独生成。
公钥生成算法: 最流行的与证书相关的为 RSA和DSA. 详述: 要实现SSL双向认证, 你必须同时配置Web服务器证书和客户端证书, 并且需要在服务器和客户端之间正确安装根证书。所以, 要配置好双向SSL, 我们需要有这几样东西。 下面我一点点讲述它的详细步骤, 总共分为六个大步: 准备工作: 创建一个ssl目录, 在ssl里面再创建 ca 目录, client 目录, server 目录, jks目录, 然后定位到ssl目录. 第一大步:生成自签名CA证书 A) 创建CA私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out ca/ca-key.pem 2048
genrsa 的意思就是生成rsa 私钥
-out 参数指的是生成的私钥放哪里
2048这个参数在很多其它网上的文档里面写的都是1024, 我写2048是在openssl.org官方网站里面看到的。
如下:The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon.
B) 用CA私钥生成CA证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
req 的意思是生成CA证书请求
-new 估计是表示用来生成新的证书请求
-out 表示将证书请求文件放到哪里
-key 表示用哪个私钥来生成证书请求 键入回车之后,系统会要求你填写如下一系列的信息:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn //哪个国家
State or Province Name (full name) [Some-State]:zhejiang //哪个省份
Locality Name (eg, city) []:hangzhou //哪个城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian //哪个公司
Organizational Unit Name (eg, section) []:CPT //部门名称
Common Name (eg, YOUR name) []:zhizhang //你的名字
Email Address []:[email protected] //你的邮箱 Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit //密码
An optional company name []:lianlian group //公司还可以叫什么名字 理论上来讲, 生成的证书请求交由CA机构后,它会颁发由CA签发的证书, 我们这里由自签名证书来代替。 C) 用CA私钥和CA证书请求生成CA自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 1095
键入回车之后,系统提示签名Ok:
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=zhizhang/[email protected]
Getting Private key 第二大步:生成server 证书 A) 创建Server私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out server/server-key.pem 2048
B) 用Server私钥生成Server证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out server/server-req.csr -key server/server-key.pem
键入回车之后,系统会要求你填写如下一系列的信息:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian
Organizational Unit Name (eg, section) []:CPT
Common Name (eg, YOUR name) []:localhost //这里应当跟CA证书不一样, 应当是服务器域名或是IP
Email Address []:[email protected] Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:lianlian group C) 用Server私钥, Server证书请求, CA私钥和CA证书, 生成Server自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 1095
系统返回签名OK
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=localhost/[email protected]
Getting Private key
Getting CA Private Key D) Server将证书导出成浏览器支持的.p12格式
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
键入指令后,系统会要求输两次密码: changeit
Enter Export Password:
Verifying - Enter Export Password:
第三大步:生成client 证书
A) 创建Client私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out client/client-key.pem 2048
键入回车后返回:
Generating RSA private key, 2048 bit long modulus
.....................................................+++
..............+++
e is 65537 (0x10001) B) 用Client私钥生成Client证书请求 zhou@ubuntu:~/ssl$ openssl req -new -out client/client-req.csr -key client/client-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian
Organizational Unit Name (eg, section) []:CPT
Common Name (eg, YOUR name) []:clienthost //这里我不太清楚具体应当写什么, 我写的是客户端服务器的地址。
Email Address []:[email protected] Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:lianlian group
C) 用Client私钥, Client证书请求, CA私钥和CA证书, 生成Client自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 1095
系统返回签名OK
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=clienthost/[email protected]
Getting Private key
Getting CA Private Key
D) 将Client证书导出成浏览器支持的.p12格式
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
键入指令后,系统会要求输两次密码: changeit
Enter Export Password:
Verifying - Enter Export Password: 有的时候会需要指定别名, 则再加一个参数
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 -name client.lianlian.com
第四大步:根据CA证书生成truststore JKS文件(我猜这简写的意思可能是Java Key Store)
A) 生成truststore文件
zhou@ubuntu:~/ssl$ keytool -keystore jks/truststore.jks -keypass changeit -storepass lianlian.com -alias ca -import -trustcacerts -file ca/ca-cert.pem
键入回事后,提示是否信息此证书,输入yes, 则生成truststore成功。 Owner: [email protected], CN=zhizhang, OU=CPT, O=lianlian, L=hangzhou, ST=zhejiang, C=cn
Issuer: [email protected], CN=zhizhang, OU=CPT, O=lianlian, L=hangzhou, ST=zhejiang, C=cn
Serial number: c14463d09ba37b39
Valid from: Fri Jan 29 03:33:25 PST 2010 until: Mon Jan 28 03:33:25 PST 2013
Certificate fingerprints:
MD5: D6:4A:7E:89:59:27:88:63:B5:28:2C:38:EB:44:B5:B6
SHA1: BA:26:16:C4:4B:1C:0B:65:F2:CB:CD:DB:DF:E1:D1:C3:70:55:0D:2A
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore 第五大步:配置Tomcat SSL
tomcat6.0的配置:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:\\app\\ssl\\ssl\\server\\server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="D:\\app\\ssl\\ssl\\jks\\truststore.jks" truststorePass="lianlian.com" truststoreType="JKS"/>
第六大步:测试Tomat SSL ca-cert.pem导入至受信任的根证书颁发机构,client.p12导入至个人
访问你的应用https://ip:8443/,如果配置正确的话会出现请求你数字证书的对话框。 多写两句:
如果是Java调用, 确保在通信之前加入如下语句: System.setProperty("javax.net.ssl.trustStore",
"\path\to\truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "lianlian.com");
System.setProperty("javax.net.ssl.keyStore",
"\path\to\client.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");