SSL 双向认证的配置总结

sl的原理和细节配置在之前两个博文中已经提到了。接下来总结下ssl的具体配置。主要感谢三篇文章。

ssl双向认证的客户端游览器的实现：

http://blog.csdn.net/jasonhwang/archive/2008/04/26/2329589.aspx

http://blog.csdn.net/jasonhwang/archive/2008/04/29/2344768.aspx

ssl双向认证的java调用实现：

http://www.blogjava.net/stone2083/archive/2007/12/20/169015.html

 

ssl双向认证的客户端游览器的实现主要是在Linux下实现的，稍微修改路径就可以在windows下实现。

注意：若客户端游览器没有ca证书的话，也是可以访问服务器的，客户端的ca证书是用来验证服务器是否有效的，若没有ca证书，游览器会弹出警告，让客户决定是否访问。

对于服务器端，用于签名的ca证书已经加入到trustKeyStore中，用于server认证客户端是否可信。

下面是主要代码：

env.bat:

set OPENSSL_HOME=C:\temp\testca
set SERVER=%OPENSSL_HOME%\Server
set CLIENT=%OPENSSL_HOME%\Client
set CA=%OPENSSL_HOME%\CA
set CONF=%OPENSSL_HOME%\conf

 

gentestca.conf:

[req]
default_keyfile = $ENV::OPENSSL_HOME/CA/cakey.pem
default_md = md5
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
 
[ca_distinguished_name]
organizationName = VictorOrg
organizationalUnitName  = VictorDepartment
commonName = VictorCA
emailAddress = ca_admin@victororg.com
 
[ca_extensions]
basicConstraints = CA:true

 

testca.conf：

[ ca ]
default_ca     = testca   # The default ca section 需要配置
 
[ testca ]
dir            = $ENV::OPENSSL_HOME      # top dir
database       = $dir/index.txt          # index file.
new_certs_dir  = $dir/newcerts           # new certs dir
 
certificate    = $ENV::CA/cacert.pem         # The CA cert
serial         = $dir/serial             # serial no file
private_key    = $ENV::CA/cakey.pem  # CA private key
RANDFILE       = $ENV::CA/.rand      # random number file
 
default_days   = 365                     # how long to certify for
default_crl_days= 30                     # how long before next CRL
default_md     = md5                     # message digest method to use
unique_subject = no                      # Set to 'no' to allow creation of
                                         # several ctificates with same subject.
policy         = policy_any              # default policy
 
[ policy_any ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

generateCA.bat:

openssl req -x509 -newkey rsa:2048 -out CA/cacert.pem -outform PEM -days 2190 -config "%OPENSSL_HOME%\conf\gentestca.conf"

openssl pkcs12 -export -clcerts -in CA/cacert.pem -inkey CA/cakey.pem -out CA/root.p12

keytool -keystore %CA%\truststore.jks -keypass 444444 -storepass 444444 -alias ca -import -trustcacerts -file %CA%\cacert.pem

 

generateServer.bat:

openssl req -newkey rsa:1024 -keyout %SERVER%\serverkey.pem -keyform PEM -out %SERVER%\serverreq.pem -outform PEM  -subj "/O=ABCom/OU=servers/CN=servername"

openssl ca -in %SERVER%\serverreq.pem -out %SERVER%\servercert.pem -config "%CONF%\testca.conf"

openssl pkcs12 -export -in %SERVER%\servercert.pem -inkey %SERVER%\serverkey.pem -out %SERVER%\server.p12 -name tomcat -CAfile "%CA%\cacert.pem" -caname root -chain

 

 

generateClient.bat:

openssl req -newkey rsa:1024 -keyout %CLIENT%\clientkey.pem -keyform PEM -out %CLIENT%\clientreq.pem -outform PEM -subj "/O=TestCom/OU=TestOU/CN=testuser1"

openssl ca -in %CLIENT%\clientreq.pem -out %CLIENT%\clientcert.pem -config "%CONF%\testca.conf"

openssl pkcs12 -export -in %CLIENT%\clientcert.pem -inkey %CLIENT%\clientkey.pem -out %CLIENT%\client.p12 -name client -chain -CAfile "%CA%\cacert.pem"

 

 

tomcat 中 server.xml：

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               maxhttpheadersize="8192"
               minsparethreads="25" maxsparethreads="75"
               clientAuth="true" sslProtocol="TLS"
               disableUploadTimeout="true" enableLookups="false" acceptCount="100"

               keystoreType="PKCS12" keystoreFile="C:/temp/ca_9_13/server.p12" keystorePass="333333"
               truststoreType="JKS" truststoreFile="C:/temp/ca_9_13/truststore.jks" truststorePass="444444"    
               />

 

 

ssl双向认证的java调用实现：

用java代码调用服务器的https时，必须在客户端地java代码中的trustKeyStore加入服务器的ca，因为程序不能像人一样主观判断该网站是否可以访问。

env.bat,gentestca.conf,testca.conf，generateCA.bat与上面配置一致。

 

generateServerKeyStore.bat ：

keytool -keystore %SERVER%\server.jks -keypass 222222 -storepass 222222 -alias serverkey -genkey -keyalg RSA -dname "CN=servername, OU=servers, O=ABCom"

keytool -export -alias serverkey  -keypass 222222 -storepass 222222 -keystore %SERVER%\server.jks -file %SERVER%\server.crt

keytool -import -alias serverkey -keypass 222222 -storepass 222222 -file %SERVER%\server.crt -keystore %CLIENT%\tclient.keystore

generateClientKeyStore.bat：
keytool -genkey -alias clientkey -keystore %CLIENT%\client.jks -keypass 777777 -storepass 777777 -keyalg RSA -dname "CN=servername, OU=servers, O=ABCom"
keytool -export -alias clientkey -keystore %CLIENT%\client.jks -file %CLIENT%\client.crt -keypass 777777 -storepass 777777
keytool -import -alias clientkey -file %CLIENT%\client.crt -keystore %SERVER%\tserver.keystore -keypass 777777 -storepass 777777

 

tomcat 中 server.xml：

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               maxhttpheadersize="8192"
               minsparethreads="25" maxsparethreads="75"
               clientAuth="true" sslProtocol="TLS"
               disableUploadTimeout="true" enableLookups="false" acceptCount="100"

               keystoreFile="C:\temp\keystore_9_14\server.jks" keystorePass="222222" keystoreType="JKS"
               truststoreFile="C:\temp\keystore_9_14\tserver.keystore" truststorePass="777777" truststoreType="JKS"
               />

 

 

客户端java代码：

public class HttpsTest {
    public static final String CLIENT_KEY_STORE_PASSWORD = "777777";
    public static final String CLIENT_TRUST_KEY_STORE_PASSWORD = "222222";
    
    private static class TrustAnyHostnameVerifier implements HostnameVerifier {
        public boolean verify(String hostname, SSLSession session) {
            return true;
        }
    }
    
    public static void main(String[] args) throws NoSuchAlgorithmException, KeyStoreException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException {
        SSLContext ctx = SSLContext.getInstance("SSL");

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        
        KeyStore ks = KeyStore.getInstance("JKS");
        KeyStore tks = KeyStore.getInstance("JKS");
        
        ks.load(new FileInputStream("C:/temp/keystore_9_14/client.jks"), CLIENT_KEY_STORE_PASSWORD.toCharArray());
        tks.load(new FileInputStream("C:/temp/keystore_9_14/tclient.keystore"),  CLIENT_TRUST_KEY_STORE_PASSWORD.toCharArray());
        
        kmf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());
        tmf.init(tks);
        
        ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
        
        String url = "https://****:8443/****";
        URL myURL = new URL(url);
        HttpsURLConnection httpsConn = (HttpsURLConnection) myURL.openConnection();
        
        httpsConn.setHostnameVerifier(new TrustAnyHostnameVerifier());
        httpsConn.setSSLSocketFactory(ctx.getSocketFactory());
        
        httpsConn.setRequestMethod("GET");
        httpsConn.setRequestProperty("Connection", "Keep-Alive");
        httpsConn.setUseCaches(false);
        httpsConn.setReadTimeout(60000);
        httpsConn.setRequestProperty("Content-Type","text/html; charset=UTF-8");
        if (httpsConn.getResponseMessage().equalsIgnoreCase("ok")) {
            System.out.println("ok");
        } else {
            System.out.println("error");
        } 
    }
}                  

 

 

 

 

代码下载:密码123456