这几天弄tomcat的ssl双向设置,网上找到了一篇关于tomcat5。5在xp下的设置文档,按照上面的操作了一遍,然后部署,发现不行,在 tomcat5.5里报无法识别的keystore文件类型,操作过程如下:
1. 下载OpenSSL for Win32
Win32 OpenSSL v0.9.8k:http://www.slproweb.com/download/Win32OpenSSL-0_9_8k.exe
Visual C++ 2008 Redistributables:http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
2. 建立工作目录
f:\ssl\ca\
f:\ssl\server\
f:\ssl\client\
f:\ssl\keystore\
3. 建立自己的CA
建立一张证书需要三步, 1是生成系统私钥, 2生成待签名证书, 3是生成x509证书, 用CA私钥进行自签名.
3.1 生成CA私钥
F:\ssl>openssl genrsa -out ca/ca-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...........++++++
.........................++++++
e is 65537 (0x10001)
注解:
genrsa: 生成CA私钥
-out: 生成的私钥的保存路径和名字
1024: 密钥位数
3.2 生成待签名证书
F:\ssl>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:SG
Locality Name (eg, city) []:SG
Organization Name (eg, company) [Internet Widgits Pty Ltd]:logicgate
Organizational Unit Name (eg, section) []:development
Common Name (eg, YOUR name) []:logicgate
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注 解:
csr: certificate signing request
req: 生成待签名证书的选项
-key: 采用的CA私钥的路径, 这里使用的是3.1中产生的私钥
3.3 用CA私钥进行自签名
F:\ssl>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=SG/ST=SG/L=SG/O=logicgate/OU=development/CN=logicgate
Getting Private key
注解:
x509: 生成x509的CA根证书
-in: 待签名证书的路径
-out: 生成的CA根证书的路径
-signkey: 采用签名的私钥的路径
-days: 有效时间(天)
3.4 将证书导出成浏览器支持的.p12格式
F:\ssl>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
Loading 'screen' into random state - done
Enter Export Password:password
Verifying - Enter Export Password:password
注解:
这 里设定的密码在客户端导入的时候将会被用到
4. 生成server证 书
4.1 生成私钥
F:\ssl>openssl genrsa -out server/server-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)
4.2 生成待签名证书
F:\ssl>openssl req -new -out server/server-req.csr -key server/server-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:SG
Locality Name (eg, city) []:SG
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tomcat
Organizational Unit Name (eg, section) []:ssl
Common Name (eg, YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注解:
Common Name需要放服务器的ip地址, 本机测试可以用localhost(localhost访问的时候才会证书才会成功的)
4.3 用私钥进行自签名
F:\ssl>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=SG/ST=SG/L=SG/O=tomcat/OU=ssl/CN=localhost
Getting Private key
Getting CA Private Key
4.4 将证书导出成浏览器支持的.p12格式
F:\ssl>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
Loading 'screen' into random state - done
Enter Export Password:serverpassword
Verifying - Enter Export Password:serverpassword
5. 生成client证书
5.1 生成私钥
F:\ssl>openssl genrsa -out client/client-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..++++++
....................++++++
e is 65537 (0x10001)
5.2 生成待签名证书
F:\ssl>openssl req -new -out client/client-req.csr -key client/client-key.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:CN
Locality Name (eg, city) []:CN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IE
Organizational Unit Name (eg, section) []:IE
Common Name (eg, YOUR name) []:client
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5.3 用私钥进行自签名
F:\ssl>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=CN/L=CN/O=IE/OU=IE/CN=client
Getting Private key
Getting CA Private Key
5.4 将证书导出成浏览器支持的.p12格式
F:\ssl>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
Loading 'screen' into random state - done
Enter Export Password:clientpassword
Verifying - Enter Export Password:clientpassword
6. 根据ca证书生成keystore
F:\ssl>keytool -keystore truststore/truststore.jks -keypass keypass-storepass storepass-alias my_ca -import -trustcacerts -file ca\ca-cert.pem
Owner: CN=logicgate, U=development, O=logicgate, L=SG, ST=SG, C=SG
Issuer: CN=logicgate, U=development, O=logicgate, L=SG, ST=SG, C=SG
Serial number: 855006f7772b4487
Valid from: Mon Oct 05 13:30:09 SGT 2009 until: Thu Oct 03 13:30:09 SGT 2019
Certificate fingerprints:
MD5: 08:22:2A:6B:63:13:86:3A:81:FF:33:6A:14:B6:4E:27
SHA1: FB:97:E6:1C:A8:BB:8E:11:48:36:C1:33:D9:7F:03:7F:13:34:94:17
Trust this certificate? [no]: y
Certificate was added to keystore
注 解:
jsse默认的keystore位于%JAVA_HOME%/jre/security/cacerts, 这里我们产生的是自己的keystore, 位于F:\ssl\truststore目录下. 然后把根证书以my_ca的名字导入到keystore中。如果truststore.jks已经存在名为my_ca的证书, 那么会报错: keytool error: java.lang.Exception: Certificate not imported, alias <my_ca> already exists. 解决办法之一,是将原文件删除即可, 但那样之前导入的信任的CA根证书的配置就都没了, 令一个办法是取一个不同与其他导入的根证书的别名, 也就是-alias后面写个不同的名字.
7. 查看keystore中包含的证书
F:\ssl>keytool -list -v -keystore truststore/truststore.jks
Enter keystore password: storepass
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: my_ca
Creation date: Oct 5, 2009
Entry type: trustedCertEntry
Owner: CN=logicgate, U=development, O=logicgate, L=SG, ST=SG, C=SG
Issuer: CN=logicgate, U=development, O=logicgate, L=SG, ST=SG, C=SG
Serial number: 855006f7772b4487
Valid from: Mon Oct 05 13:30:09 SGT 2009 until: Thu Oct 03 13:30:09 SGT 2019
Certificate fingerprints:
MD5: 08:22:2A:6B:63:13:86:3A:81:FF:33:6A:14:B6:4E:27
SHA1: FB:97:E6:1C:A8:BB:8E:11:48:36:C1:33:D9:7F:03:7F:13:34:94:17
8. 配置tomcat
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="F:\ssl\server\server.p12" keystoreType="PKCS12" keystorePass="serverpassword"
truststoreFile="F:\ssl\truststore\truststore.jks"truststorePass="storepass"truststoreType="JKS"
clientAuth="true" sslProtocol="TLS"
/>
9. 客户端导入证书
IE -> Tools -> Internet Options -> Content -> Certificates
将 ca.p12导入Trusted Root Certification Authorities, client.p12导入Personal
10. 验证配置
访问https://localhost:8443/ 证书提示成功了。
最 后很奇怪为什么tomcat不识别openssl命令产生的keystore文件呢?难道一定要tomcat对应的JDK生成的keystore才行?试 了下果然就识别了,不过还得把openssl生成的签名证书导入keystore才行,命令如下:
keytool -import -v -file ca/ca-cert.pem -keystore c:\server.keystore -storepass changeit
启 动tomcat搞定。
分享到:
相关推荐
标题中的“tomcat6XP绿色版+自动JDK”指的是一个特别为Windows XP系统优化的Tomcat 6版本,它以绿色免安装的形式提供,并且集成了JDK 1.6,使得用户在运行时无需单独安装Java Development Kit,可以直接启动Tomcat...
Tomcat是我们选择的Web服务器。我们可以从Apache的官方网站下载Tomcat 6.X。我们下载的是32-bit/64-bit Windows Service Installer版本的Tomcat。 4. MySql的下载和安装 MySql是一款轻巧开源的数据库引擎。我们...
接着,安装Apache Tomcat服务器。Tomcat是一个开源的Servlet容器,用于运行Java Web应用程序,包括JSP和Servlet。同样地,从Apache官方网站下载适合XP系统的Tomcat版本,按照提示进行安装。安装完毕后,也需要配置...
Tomcat集群配置是将多个Tomcat服务器实例组合在一起,以提高应用程序的可用性和可伸缩性。以下是一个简要的步骤和配置说明,以帮助你理解如何在Windows XP环境下设置一个基于Apache2.2的Tomcat集群。 首先,你需要...
3. **Apache Tomcat 6.x**: Tomcat 是一款开源的 Servlet 容器,可以作为 Java Web 应用程序的服务器。为了简化安装过程,推荐使用安装版。 - **下载链接**: [Tomcat 6.x]...
在构建JSP开发环境的过程中,需要使用多个关键组件,包括JDK(Java Development Kit)、Tomcat服务器、Eclipse集成开发环境(IDE)和MySQL数据库管理系统。选择合适的版本以及正确配置这些组件之间的兼容性对于成功...
在这个场景中,我们关注的是一个基于Windows XP的操作系统上的Java Web开发环境,它包括Eclipse IDE、JDK、Tomcat服务器以及Lomboz插件的安装和配置。以下是详细步骤: 1. **JDK安装与配置**: - 下载JDK1.6版本,...
Tomcat服务器 :Tomcat5.5 Apache服务器 :Apache2.2 开始配置: 1、我们先以普通的方式配置tomcat1、tomcat2 {配置Java环境变量} {启动Tomcat1} 启动成功!表示我的tomcat1是好使的!在来看看tomcat2也就是另...
在Linux系统下搭建Web服务器及数据库服务器是一项基础但至关重要的工作,这主要涉及到服务器环境的配置、软件的安装以及服务的启动与管理。本篇将详细介绍这一过程。 首先,Linux系统的安装是整个流程的起点。通常...
Tomcat服务器 :Tomcat5.5 Apache服务器 :Apache2.2 开始配置: 1、我们先以普通的方式配置tomcat1、tomcat2 {配置Java环境变量} {启动Tomcat1} 启动成功!表示我的tomcat1是好使的!在来看看tomcat2也就是另...
因此,我们需要在Apache的conf目录下编辑mod_jk.conf文件,设置worker.properties来定义Tomcat服务器的连接信息。 "XP下配置ApacheWebServer2.2+PHP5.2.9.2+MySql6.0 +Tomcat6.0+ JSP(mod_jk) 环境.doc"这份文档很...
这款32位版本的Tomcat适用于那些运行32位操作系统的用户,如Windows XP、Windows Vista、Windows 7或Windows 8等。 Tomcat是Apache软件基金会的Jakarta项目的一部分,它的设计目标是轻量级、简单易用,并且能够处理...
2. **Session复制机制**:为了保证在任意一台服务器宕机时,用户会话数据的完整性,集群中的Tomcat服务器间通过TCP协议复制session信息。在web.xml中添加`<distributable/>`或`<Context distributable="true"/>`标记...
Apache2.0.52、JDK5.0 和 Tomcat5.5.4 是一套常见的开源软件组合,用于搭建Web服务器环境,特别是对于运行GIS(地理信息系统)软件如ArcIMS 9.0至关重要。ArcIMS是一款由ESRI公司提供的Internet地图服务器软件,允许...
【标题】"Tomcat7_32位_解压缩版" 涉及的主要知识点是Apache Tomcat服务器的第七个主要版本,专为32位操作系统设计。Tomcat是一款广泛使用的开源Java Servlet容器,它是Apache软件基金会Jakarta项目的一部分。这个解...
3. **网络连通性**: 测试集群内部各组件间的网络连通性,确保Apache能够正常与Tomcat服务器通信。 4. **错误排查**: 仔细检查配置文件中的每一项设置,特别是路径、端口等信息。出现问题时,查看日志文件可以帮助...
"Myeclipse6.5 JDK1.7 tomcat6.5 SQL2000 Personal Edition 配置及安装手册" ...本手册提供了 Myeclipse6.5、JDK1.7、Tomcat6.5、SQL2000 Personal Edition 的详细配置和安装过程,旨在帮助开发者快速搭建开发环境。