溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

OpenSSL/Tomcat HTTPS 搭建

發(fā)布時(shí)間:2020-07-07 19:05:09 來(lái)源:網(wǎng)絡(luò) 閱讀:1738 作者:silver_snow 欄目:建站服務(wù)器

總結(jié)一下 OpenSSL和Tomcat  https的搭建

第一部分:首先是看看 OpenSSL的搞法:

創(chuàng)建證書的步驟: 

(1)生成私鑰

(2)生成待簽名證書

(3)生成x509證書, 用CA私鑰進(jìn)行簽名

(4)導(dǎo)成瀏覽器支持的p12格式證書

 

一:生成CA證書
CA
1. 創(chuàng)建私鑰 :
openssl genrsa -ges3 -out ca-key.pem 2048 -sha256
2.創(chuàng)建證書請(qǐng)求 :
openssl req -new -out ca-req.csr -key ca-key.pem -sha256

3.自簽署證書 :
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 1000 -sha256

(2-3 可以一起:

openssl req -x509 -new -out ca-cert.pem -key ca-key.prm -days 1000 -sha256)

4.將證書導(dǎo)出成瀏覽器支持的.p12格式 :

openssl pkcs12 -export -clcerts -in ca-cert.pem -inkey ca-key.pem -out ca.p12 
     
三.生成server證書
1.創(chuàng)建私鑰 :
openssl genrsa -des -out server-key.pem  2048 -sha256
2.創(chuàng)建證書請(qǐng)求 :
openssl req -new -out server-req.csr -key server-key.pem -sha256
3.自簽署證書 :
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650 
4.將證書導(dǎo)出成瀏覽器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12 
 

四.生成client證書 
1.創(chuàng)建私鑰 :
openssl genrsa -out client-key.pem 1024 -sha256
2.創(chuàng)建證書請(qǐng)求 :
openssl req -new -out client-req.csr -key client-key.pem -sha256

3.自簽署證書 :

openssl x509 -req -in  client-req.csr -out  client-cert.pem -signkey  client-key.pem -CA  ca-cert.pem -CAkey  ca-key.pem -CAcreateserial -days 3650  -sha256
4.將證書導(dǎo)出成瀏覽器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in  client-cert.pem -inkey client-key.pem -out  client.p12 


五.根據(jù)ca證書生成jks文件 (Java keystore)
keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file ca/ca-cert.pem

 

第二部分 .配置tomcat ssl
1. conf/server.xml。

tomcat6中多了SSLEnabled="true"屬性。keystorefile, truststorefile設(shè)置為你正確的相關(guān)路徑 
xml 代碼
 tomcat 5.5的配置:
<Connector port="8443" maxHttpHeaderSize="8192"
             maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
             enableLookups="false" disableUploadTimeout="true"
             acceptCount="100" scheme="https" secure="true"
             clientAuth="true" sslProtocol="TLS" 
             keystoreFile="server.p12" keystorePass="1111" keystoreType="PKCS12" 
             truststoreFile="truststore.jks" truststorePass="2222" truststoreType="JKS" />  
tomcat6.0的配置:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
               keystoreFile="server.p12" keystorePass="1111" keystoreType="PKCS12" 
               truststoreFile="truststore.jks" truststorePass="2222" truststoreType="JKS"/>

 

七、測(cè)試(linux下)
openssl s_client -connect localhost:8443 -cert /home/ssl/client-cert.pem -key /home/ssl/client-key.pem -tls1 -CAfile /home/ssl/ca-cert.pem -state -showcerts

GET /index.jsp HTTP/1.0

 

八、導(dǎo)入證書
服務(wù)端導(dǎo)入server.P12 和ca.p12證書
客戶端導(dǎo)入將ca.p12,client.p12證書
IE中(打開(kāi)IE->;Internet選項(xiàng)->內(nèi)容->證書)

ca.p12導(dǎo)入至受信任的根證書頒發(fā)機(jī)構(gòu),client.p12導(dǎo)入至個(gè)人

Firefox中(工具-選項(xiàng)-高級(jí)-加密-查看證書-您的證書)

將ca.p12和client.p12均導(dǎo)入這里
 

注意:ca,server,client的證書的common name(ca=ca,server=localhost,client=dong)一定不能重復(fù),否則ssl不成功

 

九、tomcat應(yīng)用程序使用瀏覽器證書認(rèn)證

在server/webapps/manager/WEB-INF/web.xml中,將BASIC認(rèn)證改為證書認(rèn)證

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Tomcat Manager Application</realm-name>
  </login-config>

 

在conf/tomcat-users.xml中填入下列內(nèi)容
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <role rolename="user"/>
  <user username="EMAILADDRESS=dong@dong.com, CN=dong, OU=tb, O=tb, L=bj, ST=bj, C=cn" password="null" roles="admin,user,manager"/>
</tomcat-users>

 

訪問(wèn)http://localhost:8443即可驗(yàn)證ssl是否成功

訪問(wèn)http://localhost:8443/manager/html可驗(yàn)證應(yīng)用程序利用client證書驗(yàn)證是否成功


附件:

批量創(chuàng)建證書的格式:

#!/bin/bash
# using sample
# sh genClient.sh 20160728_Client001 "CHANGSHA SHINING POWER ELECTRONICS CO.,LTD" DS2015-F0105-00104 james.taoA1@murata.com
/usr/bin/expect <<EOF
set time 30
spawn openssl req -new -key shdcweb1client.pem -out client/$1.csr -sha256
expect {
"Country Name" {send "CN\r";exp_continue }
"State or Province Name" {send "ShangHai\r";exp_continue }
"Locality Name" {send "ShangHai\r";exp_continue }
"Organization Name" {send "Murata\r";exp_continue }
"Organizational Unit" {send "MCI\r";exp_continue }
"Common Name" {send "$2\r";exp_continue }
"Email Address" {send "$4\r";exp_continue }
"A challenge password" {send "murata\r";exp_continue }
"An optional company name" {send "MCI\r";exp_continue }

}

spawn openssl ca -policy policy_anything -days 365 -cert shdcweb1ca.crt -keyfile shdcweb1cakey.pem -in client/$1.csr -out client/$1.crt
expect {
"Enter pass phrase" {send "CH61is@2016\r";exp_continue }
"Sign the certificate" {send "y\r";exp_continue }
"1 out of 1 certificate requests certified" {send "y\r";exp_continue }

}

spawn openssl pkcs12 -export -clcerts -in client/$1.crt -inkey shdcweb1client.pem -out client/$1.p12
expect {
"Enter Export Password" {send "$3\r";exp_continue }
"Verifying - Enter Export Password" {send "$3\r" }

}

EOF
~


向AI問(wèn)一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI